没有脚本标记与服务器端验证?

this is a question that hasn't directly been asked yet..
I develop for a company which serves millions of web customers per year. Many of our web applications were written years ago (and with bad practice) that relies entirely on java-script for the pages to work, most notably web form validation.

Recently, we've been implementing noscript tags to re-direct users to an error page if they don't use javascript.
I am having trouble convincing anyone why server validation should occur alongside client validation instead of using noscript given 99% of users now have javascript enabled browsers.

Plus, adding in an opening and closing tag and a re-direct can be developed in 5 seconds whereas server validation requires a lot more time and money.
What're your thoughts??
What is the real advantage of server validation if we now have noscript besides the 1% of users who will just have to enable their scripting?

#0

You should always do server-side validation. Period. No question. You should never rely on the client to validation. Suppose a bot or something else makes the POSTs both bypassing the JavaScript and the noscript tags. One thing not having server side validation is that it open up sql injection attacks as well.

#1

Server validation cannot be disabled or bypassed by clients, whereas client side validation can.

Is this an issue for you? If it's open to the public on non protected computers, I would be astounded if it isn't an issue. If you only rely on JavaScript validation then if someone unscrupulous bypasses this (which is easy to do) does that cause:

  • security risks
  • data integrity risks
  • reputation risks
  • financial risks

to your client.

If it does, then you need server side validation asap, before someone attacks your site.

#2

Notes/Suggestions:

  • Log the amount of people who hit the noscript page. Using this data, you can give a potential value for revenue not gained because of a lack of server-side validation. Bosses are usually fluent in the language of money.
  • Potential SQL injection and other security issues are also very problematic. You should at least clean your values from your form, even if you don't validate them.
  • Data integtrity could be compromised. Sometimes your scripts might fail, but they'll pass the noscript check. Without server-side validation, the data has less of a guarantee to be what it should.
  • Not supporting JavaScript just looks bad for something this simple. It's honestly a reputation risk.

#3

If some one purposefully try to break your syststem/website and disable javascript and enter some script and sql injection things. Only by server side validation you can block it. Its very needed as per my understanding

#4

You need not be a PRO to bypass the Javascript validation with tools like Firebug. If you do not add Server side validation, your data integrity is at risk which in turn would cause problems not only to your company but also to your clients. The reputation of your company is at stake here (Should an attack occur , a reason/answer given to your clients, like "We did not have Server side validation" would be really embarrassing to say the least as it is a common practice to add server side validation).

推荐文章

裁剪/剪裁相机预览以仅显示图像的上半部分

裁剪/剪裁相机预览以仅显示图像的上半部分

推荐文章

Windows通过PEAR安装PHPUnit-通过PEAR安装PHPUnit

Windows通过PEAR安装PHPUnit-通过PEAR安装PHPUnit

推荐文章

在Castle Windsor中注册wcf客户端组件时出现正确的错误消息

在Castle Windsor中注册wcf客户端组件时出现正确的错误消息

推荐文章

BatchSqlUpdate-如何获取自动生成的密钥

BatchSqlUpdate-如何获取自动生成的密钥

推荐文章

将小部件添加到Wordpress管理帖子/页面编辑侧边栏

将小部件添加到Wordpress管理帖子/页面编辑侧边栏

推荐文章

阻止RXTX打印版本信息

阻止RXTX打印版本信息

推荐文章

Rails 3-处理文本输入以创建多个模型

Rails 3-处理文本输入以创建多个模型

推荐文章

Playframework:发生JPA错误(无法生成EntityManagerFactory)

Playframework:发生JPA错误(无法生成EntityManagerFactory)

推荐文章

从Linq到SQL只读取一行

从Linq到SQL只读取一行

推荐文章

避免C#窗体中的代码重复

避免C#窗体中的代码重复

推荐文章

Flex-父级不执行子级函数

Flex-父级不执行子级函数

推荐文章

如何使用新的Hadoop API使用MultipleTextOutputFormat?

如何使用新的Hadoop API使用MultipleTextOutputFormat?

推荐文章

如何在Mathematica中生成这样的图像

如何在Mathematica中生成这样的图像

推荐文章

Fiddler不解压缩gzip响应

Fiddler不解压缩gzip响应

推荐文章

快速查找数据库Cakephp中的最后一项

快速查找数据库Cakephp中的最后一项

推荐文章

Xcode-警告问题

Xcode-警告问题