> On Mon, 24 Jan 2000, Matthew Brealey wrote: > >>> Any scripts that perform validation are suddenly no longer able to > >>> rely on the fact that elements are only displayed when > >>> appropriate. > >> Client-side scripts should not be used for validation. > > Not strictly true IMO - you should use them to filter out the 'no > > brainers', but some data require additional server-side validation. > > No. Client-side scripts should *absolutely* *never* be used for > validation. If they are used to simplify the user's life (e.g., > checking dates are valid and popping up a dialog if they are not) then > the checking should *still* be done on the server. > > Basically, authors can *never* rely on *anything* happening on the > client side. They *must* expect to receive garbage input. A site must do complete server-side validation to avoid processing bad or malicious data in a dangerous way. That's a crucial security measure. But a site may validate client-side too, for the user's convenience. It's a duplication of effort, but it can be worth the time. -- Jason OrendorffReceived on Monday, 24 January 2000 11:41:19 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:03 GMT