[whatwg] Client-side verification will never work in the real world

Ryan Johnson ryan at kiwi3.com
Mon Jun 28 21:22:11 PDT 2004

I have to agree whole heartedly. It's a good idea, but will only lead 
to repetition by web developers. For even the simplest tasks, I always 
do server-side verification of the type and validity of the data. I 
say, let javascript or something else take care of client side 
verification *if* someone wants it as a first pass. Cluttering the 
language with a long list of other non-vital capabilities will lead to 
a fragmented implimentation of said language by the various browser 
makers leading us back to the present day mess of "maybe it'll work in 
browser X, maybe it won't".  - Ryan

On Jun 28, 2004, at 9:08 PM, Jason Lustig wrote:

> Hi y'all
> I just recently read through the Web Forms 2.0 spec draft. I must say, 
> it looks awesome, very exciting from the POV of a web app developer 
> (i.e. me), and it would definitely make writing web apps SO much 
> easier with these extensions.
> However - I am a believer that client-side form vefification - while a 
> nice trick that will take care of most users - never will work with 
> real-world, open (i.e. anyone can access them) web apps, like 
> BBSes/forums/blogs.
> The reason is this: if the only verification going on is on the client 
> side, while it sure makes it easier for the developer, if a hacker 
> simply used a user-agent that didn't verify data integrity (they 
> wouldn't necessarily have to write a new one from scratch either - 
> like, say, they could hack mozilla to take out the verification code), 
> they could send in garbage and mess up the database.
> Oops! There goes all the data...
> --Jason

More information about the whatwg mailing list