Where do you put user input validation in a web form application?
- View: JavaScript client side
- Controller: Server side language (C#…)
- Model: Database (stored procedures or dependencies)
I think there is validation required by each level:
- Did the user input a sane value
- are dates actual dates, are numbers actualy numbers …
- Do all of the checks in 1. again plus checks for malicious attacks(IE XSS or SQL injection)
- The checks done in 1. are mainly to avoid a server round trip when the user makes a mistake.
- Since they are done on the client side in javascript, you can’t trust that they were run. Validating these values again will stop some malicious attacks.
- Are dependencies met (ie. did the user add a comment to a valid question)
- A good interface makes these very hard to violate. If something is caught here, something went very wrong.
[inspired by this response]
I check in all tiers, but I’d like to note a validation trick that I use.
I validate in the database layer, proper constraints on your model will provide automatic data integrity validation.
This is an art that seems to be lost on most web programmers.