People still bypassing form field validation

  • Thread starter Thread starter Mark 123
  • Start date Start date
They have JavaScript turned off in their browsers. But don't worry. If they
have JavaScript turned off in their browsers, they are not intelligent
enough to be worth the trouble of accomodating.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer

Presuming that God is "only an idea" -
Ideas exist.
Therefore, God exists.
 
Bad attitude. Any important form that doesn't use server-side validation is
BEGGING for trouble.

You'd be surprised who surfs with js turned off.
 
Hi Mark,

I'm assuming that by validation you mean the field is required only. As such just entering a space meets the requirement.
 
Bad attitude. Any important form that doesn't use server-side validation
is BEGGING for trouble.
Nah.

You'd be surprised who surfs with js turned off.
Click to expand...

I doubt it.

--
;-),

Kevin Spencer
Microsoft MVP
..Net Developer

Presuming that God is "only an idea" -
Ideas exist.
Therefore, God exists.
 
Unless they happen to be potential customers looking to spend money --

The probability of someone who doesn't realize that JavaScript is harmless
having enough intelligence to make enough money to have an impact upon any
business is negligible.

The business of development is one of compromises. It is entirely possible
to build the most perfect application. It is also economically unfeasible.
The business of development dictates that one know where to cut bait. You
play the odds when you have to.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer

Presuming that God is "only an idea" -
Ideas exist.
Therefore, God exists.
 
Server side validation can assume the same defaults as clientside so it is not a valid reason for doing server side validation.
 
Thank you all for those comments.

FWIW the very few records over the years that did have blank names etc had
basically nothing else in them or rubbish. I guess we can live with that
occasionally, it's just that I had some other aspx code that kept crashing
when it hit a database Null in FirstName or LastName.

Sure I can either code-around for a Null in the field or try to eliminate it
at source. Best practice as I am sure you all would say is to get it right
the first time -- so I may have to look at doing some server-side validation
duplication.

I did appreciate all your comments though -- thanks again.

Kind Regards
Mark Brownlee
 
Hmmm, as an example, my website deals in timeshare exchanging, and
while it does not deal in big $$, I can tell you for certain that
everyone that belongs to it has done well enough to have money to
spare, because they all own one or more Timeshares.

And I can also tell you that many, if not most of them are no longer
young, are quite un-knowledgable about computers, would not have the
slightest clue what javascript is, and would, if told by someone it
was bad and should be disabled, would do so if they were told how to
do it. Oh, and by the way, most of them (the ones spending the money)
are females.

So, the polite way to say it is that you are simply wrong about the
relationship of technical understanding to the ability to have enough
money to influence a business.
 
Disagree w/ you and agree w/ Murray
The people you need code defensively for are usually
- those that know exactly how to circumvent client side scripting deliberately
(usually to cause harm or try to break something)
- those that are too "computer impaired" to follow any directions
(can also break something)

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


|> Bad attitude. Any important form that doesn't use server-side validation
| > is BEGGING for trouble.
|
| Nah.
|
| > You'd be surprised who surfs with js turned off.
|
| I doubt it.
|
| --
| ;-),
|
| Kevin Spencer
| Microsoft MVP
| .Net Developer
|
| Presuming that God is "only an idea" -
| Ideas exist.
| Therefore, God exists.
|
| | > Bad attitude. Any important form that doesn't use server-side validation
| > is BEGGING for trouble.
| >
| > You'd be surprised who surfs with js turned off.
| >
| > --
| > Murray
| > --------------
| > MVP FrontPage
| >
| >
| > | >> They have JavaScript turned off in their browsers. But don't worry. If
| >> they have JavaScript turned off in their browsers, they are not
| >> intelligent enough to be worth the trouble of accomodating.
| >>
| >> --
| >> HTH,
| >>
| >> Kevin Spencer
| >> Microsoft MVP
| >> .Net Developer
| >>
| >> Presuming that God is "only an idea" -
| >> Ideas exist.
| >> Therefore, God exists.
| >>
| >> | >>> We got two records today where the First Name, Last Name and Company
| >>> fields
| >>> were blank on
| >>> http://www.orbisoft.com/products/taskmanager/2005/dl01ref.aspx.
| >>>
| >>> How are people still doing this when we have FrontPage form field
| >>> validation
| >>> set up?
| >>>
| >>> Regards
| >>> Mark Brownlee
| >>>
| >>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
 
The people you need code defensively for are usually
- those that know exactly how to circumvent client side scripting
deliberately
(usually to cause harm or try to break something)
Click to expand...

Coding defensively is a good thing. Server-side defensive programming is a
security issue. Server-side *validation* is usually unnecessary. Tow
different topics. Two different solutions.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer

Presuming that God is "only an idea" -
Ideas exist.
Therefore, God exists.

Stefan B Rusynko said:
Disagree w/ you and agree w/ Murray
The people you need code defensively for are usually
- those that know exactly how to circumvent client side scripting
deliberately
(usually to cause harm or try to break something)
- those that are too "computer impaired" to follow any directions
(can also break something)

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


|> Bad attitude. Any important form that doesn't use server-side
validation
| > is BEGGING for trouble.
|
| Nah.
|
| > You'd be surprised who surfs with js turned off.
|
| I doubt it.
|
| --
| ;-),
|
| Kevin Spencer
| Microsoft MVP
| .Net Developer
|
| Presuming that God is "only an idea" -
| Ideas exist.
| Therefore, God exists.
|
| | > Bad attitude. Any important form that doesn't use server-side
validation
| > is BEGGING for trouble.
| >
| > You'd be surprised who surfs with js turned off.
| >
| > --
| > Murray
| > --------------
| > MVP FrontPage
| >
| >
| > | >> They have JavaScript turned off in their browsers. But don't worry.
If
| >> they have JavaScript turned off in their browsers, they are not
| >> intelligent enough to be worth the trouble of accomodating.
| >>
| >> --
| >> HTH,
| >>
| >> Kevin Spencer
| >> Microsoft MVP
| >> .Net Developer
| >>
| >> Presuming that God is "only an idea" -
| >> Ideas exist.
| >> Therefore, God exists.
| >>
| >> | >>> We got two records today where the First Name, Last Name and Company
| >>> fields
| >>> were blank on
| >>> http://www.orbisoft.com/products/taskmanager/2005/dl01ref.aspx.
| >>>
| >>> How are people still doing this when we have FrontPage form field
| >>> validation
| >>> set up?
| >>>
| >>> Regards
| >>> Mark Brownlee
| >>>
| >>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
Click to expand...
 
Still disagree

Server-side *validation* is required if you are coding defensively
(and not just for security reasons)
- it is for data integrity, process integrity, and often security too
It means always check any user supplied values before using them
(or even presuming they were provided)
And any developer should know that you always "check" Any critical user supplied values as close to the source as possible (right
after they are supposed to be provided),
- so they can be "corrected" by user, if not valid, before going any further
Closest thing to the source is client side validation (before the user sends it)
Second closest thing to the source is server side validation (right after the user sends it)
--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


|> The people you need code defensively for are usually
| > - those that know exactly how to circumvent client side scripting
| > deliberately
| > (usually to cause harm or try to break something)
|
| Coding defensively is a good thing. Server-side defensive programming is a
| security issue. Server-side *validation* is usually unnecessary. Tow
| different topics. Two different solutions.
|
| --
| HTH,
|
| Kevin Spencer
| Microsoft MVP
| .Net Developer
|
| Presuming that God is "only an idea" -
| Ideas exist.
| Therefore, God exists.
|
| | > Disagree w/ you and agree w/ Murray
| > The people you need code defensively for are usually
| > - those that know exactly how to circumvent client side scripting
| > deliberately
| > (usually to cause harm or try to break something)
| > - those that are too "computer impaired" to follow any directions
| > (can also break something)
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
| > _____________________________________________
| >
| >
| > | > |> Bad attitude. Any important form that doesn't use server-side
| > validation
| > | > is BEGGING for trouble.
| > |
| > | Nah.
| > |
| > | > You'd be surprised who surfs with js turned off.
| > |
| > | I doubt it.
| > |
| > | --
| > | ;-),
| > |
| > | Kevin Spencer
| > | Microsoft MVP
| > | .Net Developer
| > |
| > | Presuming that God is "only an idea" -
| > | Ideas exist.
| > | Therefore, God exists.
| > |
| > | | > | > Bad attitude. Any important form that doesn't use server-side
| > validation
| > | > is BEGGING for trouble.
| > | >
| > | > You'd be surprised who surfs with js turned off.
| > | >
| > | > --
| > | > Murray
| > | > --------------
| > | > MVP FrontPage
| > | >
| > | >
| > | > | > | >> They have JavaScript turned off in their browsers. But don't worry.
| > If
| > | >> they have JavaScript turned off in their browsers, they are not
| > | >> intelligent enough to be worth the trouble of accomodating.
| > | >>
| > | >> --
| > | >> HTH,
| > | >>
| > | >> Kevin Spencer
| > | >> Microsoft MVP
| > | >> .Net Developer
| > | >>
| > | >> Presuming that God is "only an idea" -
| > | >> Ideas exist.
| > | >> Therefore, God exists.
| > | >>
| > | >> | > | >>> We got two records today where the First Name, Last Name and Company
| > | >>> fields
| > | >>> were blank on
| > | >>> http://www.orbisoft.com/products/taskmanager/2005/dl01ref.aspx.
| > | >>>
| > | >>> How are people still doing this when we have FrontPage form field
| > | >>> validation
| > | >>> set up?
| > | >>>
| > | >>> Regards
| > | >>> Mark Brownlee
| > | >>>
| > | >>>
| > | >>>
| > | >>>
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
Mike is correctly saying it can
- if you make the same poor assumption in creating it that was done w/ the client side validation
Like only checking for a length greater than 1 will still allow a space to be validated
- but trimming the variable and checking for a length > 2 will not

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


| What? Client-side validation can fail, as has been demonstrated.
| Server-side cannot.
|
| --
| Murray
| --------------
| MVP FrontPage
|
|
| | > Server side validation can assume the same defaults as clientside so it is
| > not a valid reason for doing server side validation.
| >
| > --
| > Mike -- FrontPage MVP '97 - '02
| > http://www.websunlimited.com
| > FrontPage Add-in
| >
| >
| >
| > | >> Another reason why server-side validation is really critical.
| >>
| >> --
| >> Murray
| >> --------------
| >> MVP FrontPage
| >>
| >>
| >> | >>> Hi Mark,
| >>>
| >>> I'm assuming that by validation you mean the field is required only. As
| >>> such just entering a space meets the requirement.
| >>>
| >>> --
| >>> Mike -- FrontPage MVP '97 - '02
| >>> http://www.websunlimited.com
| >>> FrontPage Add-in
| >>>
| >>>
| >>> | >>>> We got two records today where the First Name, Last Name and Company
| >>>> fields
| >>>> were blank on
| >>>> http://www.orbisoft.com/products/taskmanager/2005/dl01ref.aspx.
| >>>>
| >>>> How are people still doing this when we have FrontPage form field
| >>>> validation
| >>>> set up?
| >>>>
| >>>> Regards
| >>>> Mark Brownlee
| >>>>
| >>>>
| >>>>
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
 
Back
Top