JavaScript: Client-Side Vs. Server-Side Validation

JavaScript: client-side vs. server-side validation

As others have said, you should do both. Here's why:

Client Side

You want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form.

If you only validate on the server, they have to submit the form, get an error message, and try to hunt down the problem.

(This pain can be eased by having the server re-render the form with the user's original input filled in, but client-side validation is still faster.)

Server Side

You want to validate on the server side because you can protect against the malicious user, who can easily bypass your JavaScript and submit dangerous input to the server.

It is very dangerous to trust your UI. Not only can they abuse your UI, but they may not be using your UI at all, or even a browser. What if the user manually edits the URL, or runs their own Javascript, or tweaks their HTTP requests with another tool? What if they send custom HTTP requests from curl or from a script, for example?

(This is not theoretical; eg, I worked on a travel search engine that re-submitted the user's search to many partner airlines, bus companies, etc, by sending POST requests as if the user had filled each company's search form, then gathered and sorted all the results. Those companies' form JS was never executed, and it was crucial for us that they provide error messages in the returned HTML. Of course, an API would have been nice, but this was what we had to do.)

Not allowing for that is not only naive from a security standpoint, but also non-standard: a client should be allowed to send HTTP by whatever means they wish, and you should respond correctly. That includes validation.

Server side validation is also important for compatibility - not all users, even if they're using a browser, will have JavaScript enabled.

Addendum - December 2016

There are some validations that can't even be properly done in server-side application code, and are utterly impossible in client-side code, because they depend on the current state of the database. For example, "nobody else has registered that username", or "the blog post you're commenting on still exists", or "no existing reservation overlaps the dates you requested", or "your account balance still has enough to cover that purchase." Only the database can reliably validate data which depends on related data. Developers regularly screw this up, but PostgreSQL provides some good solutions.

Why do we need both client side and server side validation?

Client-side validation just avoids the client from going "but I filled this all in and it didn't tell me anything!". It's not actually mandatory, and in reality, client-side validation is a very new thing (read: 5 years old or less). In practice, all it does is prevent your client (with JS enabled) to know whether the form is okay before reloading a page.
If AJAX is in the game, it is different - it allows you to save bandwidth as well as to provide user with feedback before submission.
Finally, if you're building strictly client-side, peer-to-peer exchange apps (think games), you'll want client-side validation to keep the clients from cheating.

Server-side validation is also crucial due to the fact that client-side validation can be completely bypassed by turning off JavaScript. In a way, JS-driven validation is a convenience and an aesthetic/cosmetic improvement and should not be relied upon. Furthermore, it is trivial to edit the source of a page locally in order to disable or bypass even the most complex of JS validation.

What could a user do if you do not server-side validate? Anything, depending on how you use their data. You could be allowing users to drop entire databases (or worse, leak them), modify anything they like (or worse, read anything they like. Directory traversal flaws are extremely common entrance points for naughty people), and elevate their privileges at will. Do you want to run this risk? Not validating user input is like trusting people and not installing locks on your house.

Validate forms on both sides or only in the server side?

Cybercreeps can attack your server-side applications with maliciously crafted requests. They don't have to use your client side code to do this, instead they can hack together their own client side scripts. Therefore, your server code MUST do all validation necessary to protect your application against attack. It CANNOT rely on client side validation for security and integrity.

Your client side application can also validate its inputs. For example, it can warn the user if they put their given name into a date field, or make other similar mistakes. You do this as a courtesy to your user, to make your app easier to use.

Should input validation be client-side or server-side for Enterprise applications?

Always validate all user data on the server side. Like in ALWAYS and ALL.

Client side validation is only for UX.

Edit: added all.

P.S.: You can't trust the user

P.P.S.: You cannot trust the user!!! I might not even be a user sitting at his desk in front of the screen. It might just be a software that tries to breach your form. And by it might I really mean it will! There are thousands of crawlers out there that eventually will attack your system.

When does server side validation run? When does client side validation run?

If you had both client-side and server-side validation, you would validate your data on the client, and if it passes validation, send it to the server which would then validate it even further.

An example would be credit card data in which you may check the format and length of the credit card number on the client first and on the server check the length and format again, but also attempt to process the payment. If the user doesn't have the necessary funds you would then respond to the client with an error so that you can show them some feedback.

When To Do Client Or Server Side Validation

The short answer is: Do the server side validation. (Period)

In fact, you have to do server side validations. You can not trust in client side validation, since the code runs on the clients computer and the user can modify your javascript code via developer tools found in all browsers.

---

Related Topics