Why do we need both client side and server side validation

2014-11-16 71

In this video we will discuss, why we need both client side and server side validation. This is a common interview question as well. This is continuation to Part 1. Please watch Part 1 before proceeding.

Client side validation can be very easily bypassed by disabling Javascript on a client browser. For example the following are the steps to disable Javascript in Google chrome.
1. Open Google Chrome browser
2. Click on the Customise button on the top right hand corner of the browser
3. Select Settings from the context menu
4. Type Javascript, in the Search Settings textbox
5. Click on "Content Settings" button
6. Under "JavaScript" section select "Do not allow any site to run JavaScript" radio button.
7. Close "Content Settings" window

In the application that we worked with in Part 1, comment the call to ValidatForm() method. This is the server side medthod that validates form input. At this point the code in btnSubmit_Click() method should be as shown below.
protected void btnSubmit_Click(object sender, EventArgs e)
{
//if (ValidatForm())
//{
SaveData();
//}
}

So, at the moment
1. We have disabled Javascript on the client browser
2. We don't have any server side validation

Run the application and click the Submit button, without filling any data. Notice that an empty row is inserted into Users table.

This is because client side validation is bypassed as we have disabled JavaScript and we also don't have any server side method validating the form. This is one of the reasons why we always want to have both client side and server side validation.

If JavaScript is disabled and if we don't have any server side validation, there could be different threats ranging from storing invalid data to security vulnerabilities.

Client-side validation provides better user experience as it reduces the unnecessary round trips between the client and the server. So client side validation is nice to have.

However, if JavaScript is disabled or if the user is making a request using tools like fiddler we still want to validate the form before saving data. So, server side validation should always be there irrespective of whether we have client side validation or not.