Home/ Questions/Q 3931888
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T23:23:47+00:00

I previously asked a similar question on this topic a while back and got

  • 0

I previously asked a similar question on this topic a while back and got some good feedback, but I still have some doubts about how to proceed.

Here is the scenario…

App allows users to post and delete their comments about a video.

When a user posts a comment, the UI layer passes the comment string and the userId (guid) and when deleting passes the commentId (int) and userId (guid) to the BLL which then passes to the DAL.

At the UI layer, I assume I need to do full validation, so I make sure of the following using both client (where applicable) and server side validation:

  • userId is in fact a guid
  • userId exists in the user database (by calling a BLL method)
  • userId is the one associated with the commentId (for delete) (by calling a BLL method)
  • comment is not blank
  • comment does not exceed the max length
  • commentId is > 0
  • commentId exists in the database (by calling a BLL method)
  • videoId is > 0
  • videoId exists in the database (by calling a BLL method)

After all these validations take place, I will call the BLL methods as

Save(string comment, int videoId, string userId)
or
Delete(int commentId, string userId)

Since the BLL could also be used as a webservice or for other pages/apps, I know I need to do validation in the BLL as well. From what I have learned, I am thinking I need to redo all the same validations I just did in the UI layer:

  • userId is in fact a guid
  • userId exists in the user database (by calling a BLL method)
  • userId is the one associated with the commentId (for delete) (by calling a BLL method)
  • comment is not blank
  • comment does not exceed the max length
  • commentId is > 0
  • commentId exists in the database (by calling a BLL method)
  • videoId is > 0
  • videoId exists in the database (by calling a BLL method)

Is this correct? I hate to make the extra database calls unless I have to!

Now I need to call the associated DAL calls to actually make the database changes. Which of the above validations do I need to perform again in the DAL?

This app is not being sold or anything, but I want to understand the best way to handle the validation without killing performance with extra database calls that I may or may not need.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I do validation in the UI layer only for things which could be innocent user errors. Validation here is purely for the sake of usability. From your list, that would be

    • comment is not blank
    • comment does not exceed the max length

    Fortunately, those don’t require database calls.

    On the backend, you need to validate everything from your list. That’s the only way to truly ensure to ensure validity, security, integrity, etc.

    If something passes the UI layer validations but fails backend validations, something very very wrong happened – either a malicious user or a bug in your code. If it’s a bug in your code, showing validation messages to the user isn’t really helpful to them. If it’s a malicious user, valdiation messages are actually harmful because they make it easier for a bad guy to determine what validation checks you do and find holes. When validations fails in the backend, your app should just give the user a generic error message.

    • 0