This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Hi all, I have a Jsp which takes some form inputs from the user and sends it to a servlet. The servlet routes it to the appropriate CRUD operation depending on the button user selected. there is DAO class to create conection to the datasource. now where should the validations for the form inputs be done. 'client side' or 'server side'? and what does these terms mean. is it true that if validations are done client side then there are chances of the browser ignoring them.
An important point to add here is regarding RISK. If your building a finanical site then you will most likely wish to apply validation on both ends on the most/all critical fields. If your validating a form for something less 'security critial' then you may wish to assume that your validation on the client side will be sufficent and your'd perfer to gain performance benefits....
It's all about risk.. [ October 26, 2005: Message edited by: James Clinton ]
Its always safe to go with server-side validation.
The J2EE client, such as a JSP/servlet should validate the data but doesn't neccessarily have to. If the service has exactly one consumer and this consumer is completely controlle by you then you are safe to put 100% of the validation here and none in the server side. Alternatively, if you have many consumers and/or the consumers aren't controller by you such as in a web service, 100% of the validation should exist on the server irregardless of what is put here.
I've found in general the server does need to do all the validation since there are some conditions, like determining if user all ready exists before adding a new one, should only be done inside the scope of a server side transaction.
New/Old Issue related to this:
One issue that gave me a headache once was determining which level character field length should be validatd, such as name having max length of 30. If the database is set up for a max length of 30, the database is all ready validating this and will never allow the transaction to complete if name is greater than 30 so the server is safe. If the HTML form is set up to only allow 30 characters in the form, then it is validating this as well. The question becomes do any of the middle layers need to validate this thereby adding 3+ validation for the same data? Reasons why they shouldn't include that this may be database dependent, so maintainability is a problem. Reasons why they should include you want a clean message sent to the user indicating the precise problem, not some database exception or system error.
I always say the model has the ultimate responsibility for correctness, so it must validate the data. Looking out from the viewpoint of the model, I don't trust today's client and all possible future clients well enough to skip this responsibility. The client may duplicate those rulse to improve the user experience right up to your pain threshhold for duplication.
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Joined: Aug 15, 2004
Hi, I'm only 2 weeks with JSP and Servlets... I find using the memento pattern useful for validations using a java bean to do the work... Here is the link... Hope that helps... [ October 28, 2005: Message edited by: Timothy Sam ]