[whatwg] Client-side verification will never work in the real world
Ryan Johnson
ryan at kiwi3.com
Mon Jun 28 21:22:11 PDT 2004
I have to agree whole heartedly. It's a good idea, but will only lead
to repetition by web developers. For even the simplest tasks, I always
do server-side verification of the type and validity of the data. I
say, let javascript or something else take care of client side
verification *if* someone wants it as a first pass. Cluttering the
language with a long list of other non-vital capabilities will lead to
a fragmented implimentation of said language by the various browser
makers leading us back to the present day mess of "maybe it'll work in
browser X, maybe it won't". - Ryan
On Jun 28, 2004, at 9:08 PM, Jason Lustig wrote:
> Hi y'all
>
> I just recently read through the Web Forms 2.0 spec draft. I must say,
> it looks awesome, very exciting from the POV of a web app developer
> (i.e. me), and it would definitely make writing web apps SO much
> easier with these extensions.
>
> However - I am a believer that client-side form vefification - while a
> nice trick that will take care of most users - never will work with
> real-world, open (i.e. anyone can access them) web apps, like
> BBSes/forums/blogs.
>
> The reason is this: if the only verification going on is on the client
> side, while it sure makes it easier for the developer, if a hacker
> simply used a user-agent that didn't verify data integrity (they
> wouldn't necessarily have to write a new one from scratch either -
> like, say, they could hack mozilla to take out the verification code),
> they could send in garbage and mess up the database.
>
> Oops! There goes all the data...
>
> --Jason
>
>
More information about the whatwg
mailing list