[whatwg] Client-side verification will never work in the real world

Jason Lustig jasonlustig at adelphia.net
Mon Jun 28 21:08:13 PDT 2004


Hi y'all

I just recently read through the Web Forms 2.0 spec draft. I must say, 
it looks awesome, very exciting from the POV of a web app developer 
(i.e. me), and it would definitely make writing web apps SO much easier 
with these extensions.

However - I am a believer that client-side form vefification - while a 
nice trick that will take care of most users - never will work with 
real-world, open (i.e. anyone can access them) web apps, like 
BBSes/forums/blogs.

The reason is this: if the only verification going on is on the client 
side, while it sure makes it easier for the developer, if a hacker 
simply used a user-agent that didn't verify data integrity (they 
wouldn't necessarily have to write a new one from scratch either - like, 
say, they could hack mozilla to take out the verification code), they 
could send in garbage and mess up the database.

Oops! There goes all the data...

--Jason



More information about the whatwg mailing list