Should you do validation on the server side?

Browser/client-side validation is a convenience. You cannot rely on it. You absolutely need to duplicate any client-level validation with server-side validation.


Well, fine, all YOUR code is correct. What happens when a hacker replaces your javascript with one of their liking, or just plain submit POSTs and GETs as if it were your code?

Validating at the client is a usability issue.

Validating at the point of USAGE is a security issue.

That last point is important, because if you do not validate at the point of usage, you are making your code highly coupled. If you change a module, it breaks things elsewhere because you validated at the wrong point.

For instance, you validate data against SQL injection before storing in a SQL database -- the library will do that for you if you choose a good one. You validate data against CSS when you display it as HTML. But if you expose the data it as XML, RSS or JSON, then the validation is different -- if you validated it just at input, you wouldn't prevent exploits for the other formats, AND your input routine would be tied to the output formats you choose.


I always view it as

  • Client validation is for useability
  • Server validation is for security.

Yes, you should always do server-side validation. Javascript/AJAX is nice to give the user instant feedback, but it isn't giving you any protection whatsoever on the server side.

You just can't trust user input. Javascript validation is too easy to circumvent. Thus, you need to check the input on the server side.