A topic of concern in Linux

Kelly Prescott prescott at deltav.org
Wed Jan 21 08:07:51 EST 2004


On Tue, 20 Jan 2004, Thomas Stivers wrote:

> While I agree with you personally, you are never going to convince most
> web developers to use server-side solutions for things like data
> verification because its more expensive in terms of bandwidth and
> processor time. If John Q. Public puts bad data in a form it makes more
> sense to produce an error before form submition than to have two
> unnecessary http transfers.

You have a good point...  I worked on a contract a while ago, and the 
developer used javascript for all his input validation...
I warned him about the insecurity of trusting the data coming from the 
browser, but I was laughed down...
I took 10 minutes, rewrote the form, put in what I wanted, and "mined" all 
his data.
As far as I know, he still has not fixed the security problem...
In fact, there are lots of web sites that rely on javascript, and it is a 
relatively simple matter to change the input to what ever you want...
While it might be cool to hava clientside validation, I always validate 
everything on the server...

kp





More information about the Speakup mailing list