File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSP and the fly likes client/server side validation in book, Adv Java Server Pages by DM Geary Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "client/server side validation in book, Adv Java Server Pages by DM Geary" Watch "client/server side validation in book, Adv Java Server Pages by DM Geary" New topic

client/server side validation in book, Adv Java Server Pages by DM Geary

boyte silverio

Joined: Aug 28, 2002
Posts: 4
It is mentioned in the book that not only client side validation using javascript should be implemented but also server side validation because there's no guarantee that javascript is enabled in user's browser.
Having both validations are understandable for redundancy purposes (and also for performance), but it seems implied that javascript has been disabled in some user's browsers. Is there any good reason for disabling javascript? e.g. performance issues, security, conflicts, etc..? why is 'javascript-enabling' optional?
Just interested and thanks in advance.
Simon Brown
sharp shooter, and author
Ranch Hand

Joined: May 10, 2000
Posts: 1913
For exactly the reaons that you mentioned, in addition to the various versions of JavaScript that are currently floating around the web.
Axel Janssen
Ranch Hand

Joined: Jan 08, 2001
Posts: 2164
A user with javaScript enabled can also delete the call to the onSubmit-event handler in the html-form sent by the server.
You just have to delete the call to the javaScript event handler in some editor. If the url is relative there are ways to ascertain the absolute url.
boyte silverio

Joined: Aug 28, 2002
Posts: 4
The main thing i'd like to know is why is 'javascript' disabled is some user's browser (as mentioned in the book)? Does javascript have any negative impact on performance that it needs to be disabled? Does it come into conflict with some programs that it needs to be disabled? Or kindly explain reasons which make some users disable javascript?
Frank Carver

Joined: Jan 07, 1999
Posts: 6920
I can think of several situations where you can't rely on JavaScript validation.
  • The browser simply doesn't support it! Although the main desktop browsers support JavaScript, many people view pages using text-only browsers such as Lynx; embedded browsers in small devices such as phones or PDAs; or page viewers built in to other software (eg. help systems in IDEs). Some or all of these may not support JavaScript.
  • Someone is attempting to "crash" or "hack in to" your web application, either maliciously, or through curiosity. Turning off JavaScript and its validation is a great way to try out dangerous mode and parameter combinations. Believe me, this does happen.
  • Someone is using an automated tool to "screen scrape" pages, submit forms in bulk, run acceptance/performance tests on your site or whatever. There are lots of tools to do this sort of thing, and it's usually much simpler not to bother with JavaScript support.
  • The user is a developer who has been testing another site to see how it behaves with JavaScript disabled, and has forgot to turn it back on again.
  • The user is just "ornery", and dislikes JavaScript for some (often imagined) reason.

  • The bottom line is that you need to make sure that any web site works well, and has no security holes, even if JavaScript is disabled. Relying on JavaScript (or Java applets, or Flash, etc.) for important features like navigation and validation leaves you wide open to losing visitors, hacking, or both.

    Read about me at ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
    boyet silverio
    Ranch Hand

    Joined: Aug 28, 2002
    Posts: 173
    many thanks for your inputs, guys.
    Chris Stewart
    Ranch Hand

    Joined: Sep 14, 2002
    Posts: 184
    Always go with server side validation. It's much more secure and your network/security guys will love you for it. If possible, use both because a trip to the server is costly when the user forgot to fill out their name. So you could use client side javascript for the simple things such as "have all fields been completed?" but you'll use server side validation for the "real" validation of items (valid CC numbers, passwords, etc) given by the user or hacker/cracker.
    I agree. Here's the link:
    subject: client/server side validation in book, Adv Java Server Pages by DM Geary
    It's not a secret anymore!