A topic of concern in Linux
Kelly Prescott
prescott at deltav.org
Wed Jan 21 08:07:51 EST 2004
On Tue, 20 Jan 2004, Thomas Stivers wrote:
> While I agree with you personally, you are never going to convince most
> web developers to use server-side solutions for things like data
> verification because its more expensive in terms of bandwidth and
> processor time. If John Q. Public puts bad data in a form it makes more
> sense to produce an error before form submition than to have two
> unnecessary http transfers.
You have a good point... I worked on a contract a while ago, and the
developer used javascript for all his input validation...
I warned him about the insecurity of trusting the data coming from the
browser, but I was laughed down...
I took 10 minutes, rewrote the form, put in what I wanted, and "mined" all
his data.
As far as I know, he still has not fixed the security problem...
In fact, there are lots of web sites that rely on javascript, and it is a
relatively simple matter to change the input to what ever you want...
While it might be cool to hava clientside validation, I always validate
everything on the server...
kp
More information about the Speakup
mailing list