没有脚本标记与服务器端验证?
【腾讯云】亏本大甩卖,服务器4核16G 1年370元(带宽12M,系统盘120GB SSD盘,月流量2000GB)!!!!!!
云产品 配置 价格
服务器 1核2G,带宽5M,系统盘50GB SSD盘,月流量500GB 38元/年
MySQL 1核1G 19元/年
服务器 16核32G,带宽18M,系统盘250GB SSD盘,月流量5000GB 1197元/年
点我进入腾讯云,查看更多详情

this is a question that hasn't directly been asked yet..
I develop for a company which serves millions of web customers per year. Many of our web applications were written years ago (and with bad practice) that relies entirely on java-script for the pages to work, most notably web form validation.

Recently, we've been implementing noscript tags to re-direct users to an error page if they don't use javascript.
I am having trouble convincing anyone why server validation should occur alongside client validation instead of using noscript given 99% of users now have javascript enabled browsers.

Plus, adding in an opening and closing tag and a re-direct can be developed in 5 seconds whereas server validation requires a lot more time and money.
What're your thoughts??
What is the real advantage of server validation if we now have noscript besides the 1% of users who will just have to enable their scripting?

#0

You should always do server-side validation. Period. No question. You should never rely on the client to validation. Suppose a bot or something else makes the POSTs both bypassing the JavaScript and the noscript tags. One thing not having server side validation is that it open up sql injection attacks as well.

#1

Server validation cannot be disabled or bypassed by clients, whereas client side validation can.

Is this an issue for you? If it's open to the public on non protected computers, I would be astounded if it isn't an issue. If you only rely on JavaScript validation then if someone unscrupulous bypasses this (which is easy to do) does that cause:

  • security risks
  • data integrity risks
  • reputation risks
  • financial risks

to your client.

If it does, then you need server side validation asap, before someone attacks your site.

#2

Notes/Suggestions:

  • Log the amount of people who hit the noscript page. Using this data, you can give a potential value for revenue not gained because of a lack of server-side validation. Bosses are usually fluent in the language of money.
  • Potential SQL injection and other security issues are also very problematic. You should at least clean your values from your form, even if you don't validate them.
  • Data integtrity could be compromised. Sometimes your scripts might fail, but they'll pass the noscript check. Without server-side validation, the data has less of a guarantee to be what it should.
  • Not supporting JavaScript just looks bad for something this simple. It's honestly a reputation risk.

#3

If some one purposefully try to break your syststem/website and disable javascript and enter some script and sql injection things. Only by server side validation you can block it. Its very needed as per my understanding

#4

You need not be a PRO to bypass the Javascript validation with tools like Firebug. If you do not add Server side validation, your data integrity is at risk which in turn would cause problems not only to your company but also to your clients. The reputation of your company is at stake here (Should an attack occur , a reason/answer given to your clients, like "We did not have Server side validation" would be really embarrassing to say the least as it is a common practice to add server side validation).

推荐文章

哈斯克尔的自由点

哈斯克尔的自由点

推荐文章

通过定义正则表达式过滤日志文件

通过定义正则表达式过滤日志文件

推荐文章

jQuery:切换DIV时切换图像

jQuery:切换DIV时切换图像

推荐文章

在CruiseControl.NET中使用PSExec

在CruiseControl.NET中使用PSExec

推荐文章

破解应用商店应用程序中的plist文件有多容易?

破解应用商店应用程序中的plist文件有多容易?

推荐文章

出现在firebug配置文件中的jquery error()调用

出现在firebug配置文件中的jquery error()调用

推荐文章

在Javascript中isPrototypeOf和instanceof有什么区别?

在Javascript中isPrototypeOf和instanceof有什么区别?

推荐文章

我在IE7/8中看不到裁剪器。FF和演示没有问题(使用IE7/8)

我在IE7/8中看不到裁剪器。FF和演示没有问题(使用IE7/8)

推荐文章

Drupal 5搜索无法处理404页

Drupal 5搜索无法处理404页

推荐文章

从Python脚本调用宏?

从Python脚本调用宏?

推荐文章

SQL Server中VARCHAR的最大大小有多大?

SQL Server中VARCHAR的最大大小有多大?

推荐文章

C语言、Visual Basic.NET和托管C++之间的字符串文字有什么不同?

C语言、Visual Basic.NET和托管C++之间的字符串文字有什么不同?

推荐文章

使用c:set设置非字符串值

使用c:set设置非字符串值

推荐文章

C++线程安全——工人与控制器之间的数据交换

C++线程安全——工人与控制器之间的数据交换

推荐文章

如何删除Zend_Soap中的名称空间?

如何删除Zend_Soap中的名称空间?

推荐文章

寻找允许您更改真假的编程语言

寻找允许您更改真假的编程语言