Where should we put data validation in a website?

Question

I have looked through many threads and/or questions on the internet looking for a clear answer but so far havn't gotten any.

A part of the question was already answered (unless you tell me it is wrong). Data validation should be done client side AND server side. Client side to notify the user of data who is invalid and to offload the server and as well on the server to prevent any kind of attacks.

Validating on both sides can be a tedious task though and I wondered if there was some way to do it so that you don't have so much duplicated code.

There is also something else I was wondering...I have a table with rows who contain the id (of the database) of that row. At the end of each row I have a delete button to delete it from the html, my JSON object who contains an array of my values and who is sent to an ajax call to be deleted from the database (a link between 2 tables).

This isn't safe (well in an unsafe environment like the internet) and I know it. I can always check client side to see if the id is only numbers and if so then check server side if it exists. But who tells me the user did not go in the debugger and inverted 2 lines and end up deleting rows who should not be? What would be the best way to have my ids and be safe from people inverting them?

Any suggestions appreciated

Answer 1

Since other answers have already been posted, i would recommend that you dedicate a utility class that you can call Utility and where you would store many useful functions to check data type & content in the server side, that way even if you'll be doing some great verifications on both client and server side, at least your code will be more readable and manageable.

Another benefit of creating and managing your own utility classes is that you can easily use them across all your projects.

For example, a utility class can contain methods ranging from verifying that a certain field is within a specific range of values, or that it doesn't contain special characters (use Regular Expressions) and so on ... Your advanced utility method would focus on preventing scripts insertion, sql injections as mentionned before.

All in all, you'll do the work once and benefit from it all the time, i'm sure you no want to start checking if an age field is negative or whatever on every project you do from scratch. Using Ajax and XHR can be a bridge between your server side and client side code and would help you unifiy your validation and avoid duplication.

Answer 2

Validation should always be done on server. Client-side validation is for user convenience only and is not strictly necessary from the security point of view (except when it opens a XSS security hole).

Apart from that, you should sanitize every input you receive from user. After the input has passed a sanity check (for example if there is text where there should be a number), you should do a permission test (Does the user have the appropriate permission to perform an action that is requested?)

After you have done this, you can actually execute the transaction.

Answer 3

Data validation should be done client side AND server side.

It is not really needed to do it client side IMHO. But it is nice to be able to notify the user before submitting the data. So I would call it a pre.

Validating on both sides can be a tedious task though and I wondered if there was some way to do it so that you don't have so much duplicated code.

Because PHP is serverside and javscript is clientside it isn't really easy to prevent duplication of code. There is one way that I know of however using xhr requests. This way you can use the php validation in javascript (clientside).

At the end of each row I have a delete button to delete it from the html

Please tell me you are using CSRF protection. :-)

I can always check client side to see if the id is only numbers and if so then check server side if it exists.

To prevent malicious sql injected you should use prepared statements and parameterized queries.