When should data validation be done?

For instance, if I want to check is the input has only alphanumeric characters and is more than 10 characters long. Should I just check it server-side? Or server-side and in the database (query) itself? Or just go for the gusto and check it client-side, server-side, and db-side?

Just trying to find 开发者_C百科the right balance of checking.

It's a good idea impertinent that you validate on both the client and server. Validate on the client, but don't blindly trust the results when processing the data on the back end. This can leave your application open to malacious attacks, especially in forms that drive critical business processes.

Increase the user's experience by first validating their data client side, and then protect yourself by validating, on the back end, what has already been deemed as valid by the client.

There should never be a need to do it both server-side and in the database. Whether or not you check it on the client-side depends on your environment and how the application functions. In a web application, if you have lots of client-side script running to do various other things, then client-side validation is ideal, if not necessary. The important part is that you need to do all validation server-side, even if you do some of it client-side, because it is fairly easy to get around client-side validation if you want to.

Even if you aren't doing lots of client-side wackiness, client-side validation is very beneficial because it reduces requests to the server, which can greatly help performance (both perceived and actual).

Doing validation in the database is the wrong place to do it because validation is typically driven by business rules, and your data layer should not be the owner of business rules.

Always validate server side. Doing client side in addition can be helpful if you want to do dynamic jQuery-ish form processing error popups and such. Not sure what you mean by "in the query" -- do you mean in the schema?

Honestly it's preference, but there are benefits. If you are in a high traffic environment, you might not want to do all of your validation server side because the less traffic you can have coming in to your server the better.

So do part of it client side and part of it server side.

Items that are easy to validate client side could be:

• Input length
• Input type (string, int, date, bool)
• Field driven limitation on selection

Depending on what your data layer is like... If your using procedures, there should be basic data type validation built in.