为什么我们需要客户端和服务器端验证?

问题描述:

使用验证程序同时使用客户端验证(JavaScript)和服务器端验证的论点是:如果客户端浏览器不支持JavaScript,则用户无法使用客户端验证。


我的问题是这个论点在实践中有多好?理论上它是有道理的,但在实践中,如果在浏览器中禁用JavaScript,那么大多数网站功能都无法工作。用户可能甚至无法在没有JavaScript的情况下加载页面,更不用说提交表单。

The argument for using both client side validation (JavaScript) and server side validation using a validator is this: If the client browser does not support JavaScript, then the user cannot use client side validation.

My question is how good is this argument in practice? In theory it makes sense, but in practice, if JavaScript is disabled in the browser, then most website features will not even work. The user probably cannot even load the page without JavaScript, let alone submit a form.

客户端验证只是避免了客户端从去但我把这一切都填满了它并没有告诉我什么!。它实际上不是 强制性的,实际上,客户端验证是一个非常新的事情(阅读:5岁或更少)。在实践中,它所做的只是阻止您的客户端(启用JS)在重新加载页面之前知道表单是否正常。
如果AJAX在游戏中,它是不同的 - 它允许您节省带宽以及在提交之前向用户提供反馈。
最后,如果您正在构建严格的客户端,点对点交换应用程序(想想游戏),您将需要客户端验证以防止客户作弊。

Client-side validation just avoids the client from going "but I filled this all in and it didn't tell me anything!". It's not actually mandatory, and in reality, client-side validation is a very new thing (read: 5 years old or less). In practice, all it does is prevent your client (with JS enabled) to know whether the form is okay before reloading a page. If AJAX is in the game, it is different - it allows you to save bandwidth as well as to provide user with feedback before submission. Finally, if you're building strictly client-side, peer-to-peer exchange apps (think games), you'll want client-side validation to keep the clients from cheating.

服务器端验证也很重要,因为关闭JavaScript可以完全绕过客户端验证。在某种程度上,JS驱动的验证是一种便利和审美/美容改进,应该依赖。此外,在本地编辑页面源是非常简单的,以便禁用或绕过最复杂的JS验证。

Server-side validation is also crucial due to the fact that client-side validation can be completely bypassed by turning off JavaScript. In a way, JS-driven validation is a convenience and an aesthetic/cosmetic improvement and should not be relied upon. Furthermore, it is trivial to edit the source of a page locally in order to disable or bypass even the most complex of JS validation.

如果你这样做,用户可以做些什么不是服务器端验证?任何东西,取决于你如何使用他们的数据。您可以允许用户删除整个数据库(或者更糟糕的是,泄露它们),修改他们喜欢的任何内容(或者更糟糕的是,阅读他们喜欢的任何内容。目录遍历缺陷是顽皮人员非常常见的入口点),并随意提升他们的权限。你想冒这个风险吗?不验证用户输入就像信任人,而不是在你的房子上安装锁。

What could a user do if you do not server-side validate? Anything, depending on how you use their data. You could be allowing users to drop entire databases (or worse, leak them), modify anything they like (or worse, read anything they like. Directory traversal flaws are extremely common entrance points for naughty people), and elevate their privileges at will. Do you want to run this risk? Not validating user input is like trusting people and not installing locks on your house.