• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

client/server side validation in book, Adv Java Server Pages by DM Geary

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is mentioned in the book that not only client side validation using javascript should be implemented but also server side validation because there's no guarantee that javascript is enabled in user's browser.
Having both validations are understandable for redundancy purposes (and also for performance), but it seems implied that javascript has been disabled in some user's browsers. Is there any good reason for disabling javascript? e.g. performance issues, security, conflicts, etc..? why is 'javascript-enabling' optional?
Just interested and thanks in advance.
 
sharp shooter, and author
Posts: 1913
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For exactly the reaons that you mentioned, in addition to the various versions of JavaScript that are currently floating around the web.
Simon
 
Ranch Hand
Posts: 2166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A user with javaScript enabled can also delete the call to the onSubmit-event handler in the html-form sent by the server.
You just have to delete the call to the javaScript event handler in some editor. If the url is relative there are ways to ascertain the absolute url.
Axel
 
boyte silverio
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The main thing i'd like to know is why is 'javascript' disabled is some user's browser (as mentioned in the book)? Does javascript have any negative impact on performance that it needs to be disabled? Does it come into conflict with some programs that it needs to be disabled? Or kindly explain reasons which make some users disable javascript?
 
Sheriff
Posts: 7001
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can think of several situations where you can't rely on JavaScript validation.
  • The browser simply doesn't support it! Although the main desktop browsers support JavaScript, many people view pages using text-only browsers such as Lynx; embedded browsers in small devices such as phones or PDAs; or page viewers built in to other software (eg. help systems in IDEs). Some or all of these may not support JavaScript.
  • Someone is attempting to "crash" or "hack in to" your web application, either maliciously, or through curiosity. Turning off JavaScript and its validation is a great way to try out dangerous mode and parameter combinations. Believe me, this does happen.
  • Someone is using an automated tool to "screen scrape" pages, submit forms in bulk, run acceptance/performance tests on your site or whatever. There are lots of tools to do this sort of thing, and it's usually much simpler not to bother with JavaScript support.
  • The user is a developer who has been testing another site to see how it behaves with JavaScript disabled, and has forgot to turn it back on again.
  • The user is just "ornery", and dislikes JavaScript for some (often imagined) reason.

  • The bottom line is that you need to make sure that any web site works well, and has no security holes, even if JavaScript is disabled. Relying on JavaScript (or Java applets, or Flash, etc.) for important features like navigation and validation leaves you wide open to losing visitors, hacking, or both.
     
    Ranch Hand
    Posts: 173
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    many thanks for your inputs, guys.
     
    Ranch Hand
    Posts: 184
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Always go with server side validation. It's much more secure and your network/security guys will love you for it. If possible, use both because a trip to the server is costly when the user forgot to fill out their name. So you could use client side javascript for the simple things such as "have all fields been completed?" but you'll use server side validation for the "real" validation of items (valid CC numbers, passwords, etc) given by the user or hacker/cracker.
     
    reply
      Bookmark Topic Watch Topic
    • New Topic