[whatwg] Client-side verification will never work in the real world

James Graham jg307 at cam.ac.uk
Tue Jun 29 02:52:44 PDT 2004

Jason Lustig wrote:

> Hi y'all
> I just recently read through the Web Forms 2.0 spec draft. I must say, 
> it looks awesome, very exciting from the POV of a web app developer 
> (i.e. me), and it would definitely make writing web apps SO much 
> easier with these extensions.
> However - I am a believer that client-side form vefification - while a 
> nice trick that will take care of most users - never will work with 
> real-world, open (i.e. anyone can access them) web apps, like 
> BBSes/forums/blogs.
> The reason is this: if the only verification going on is on the client 
> side, while it sure makes it easier for the developer, if a hacker 
> simply used a user-agent that didn't verify data integrity (they 
> wouldn't necessarily have to write a new one from scratch either - 
> like, say, they could hack mozilla to take out the verification code), 
> they could send in garbage and mess up the database.

Or, more simply, they could just use an existing (non WF2) UA.

The point of client-side validation isn't to ensure data integrity. As 
you correctly note, one can only ensure data integrity after the data 
reaches an environment that you control i.e. the server. Trusting data 
from the client is never a good idea and, apart from storing bad data, 
can lead to all sorts of security problems like SQL injection, buffer 
overruns and so on.

The point of client side validation is to improve the user experience. 
Trips to the server aren't free and having a delay of several seconds 
between pressing submit and finding out that you forgot to fill in a 
field or misguessed the required format is annoying. Client side 
validation also reduces server load (fewer submittals are required, less 
data fails the validity checks so processor load is reduced) and allows 
user agents to present a UI that helps the user enter data of the 
correct form.

Maybe we need some language in the spec to remind people that relying on 
client side validation to ensure valid data is wrong?

More information about the whatwg mailing list