验证服务器控件是否比 JavaScript 更好?
验证服务器控件是否比 javascript 更好?他们是否限制我们,因为我们只能使用他们提供的功能。请帮我解决这个问题。我在自己的博客上读到了有关验证服务器控件的内容
Are validation server controls better than javascript in any way ? Do they restrict us as we are only able to use the functionality that is provided by them. Please help me on this. I read about validation server controls on my own blog
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
最好在客户端和服务器上都使用验证:
现在,至于如何实现该验证 - 如果内置“工具包”控件为您执行适当的验证,那么这显然比编写自己的验证代码更简单。 ASP.NET 验证器为您执行客户端和服务器端验证。来自 BaseValidator 的文档:
It's best to use validation on both the client and the server:
Now, as for how you implement that validation - if built-in "toolkit" controls perform appropriate validation for you, that's obviously going to be simpler than writing your own validation code. ASP.NET validators do both client- and server-side validation for you. From the docs for
BaseValidator
:一般来说,您始终应该进行服务器端数据验证。这可以确保您保护您的服务器免受恶意伪造的请求,保护您的数据存储免受输入无效数据(只要数据库本身不处理)。如果您喜欢使用服务器端输入验证的工具或框架(如您链接的文章中所述),则由您决定。
客户端验证(例如使用 JavaScript)也很有用,但原因不同:它允许您在提交数据之前向用户提供有用的信息。
所以这不是非此即彼的问题,而是和/和的问题。你实际上并没有在这里做任何双重工作。客户端和服务器端验证只是服务于不同的目的(分别增强用户的可用性并保护服务的逻辑和安全性)。
服务器端和客户端验证可能由相同的业务逻辑控制(例如,对于邮政编码,您可以使用相同的正则表达式来检查和拒绝服务器端和客户端的输入)。在这种情况下,您面临同步两个验证层的挑战(这可以通过从与服务器端服务代码相同的业务逻辑模型生成页面+ JavaScript 逻辑来完成)。
如果您仍然觉得自己在做双重工作,那么选择进行服务器端验证。 (当然,您仍然可以使用它来通知客户端,但这样做需要响应。)客户端验证不提供任何保护,因为客户端可以简单地手动伪造请求,或者从浏览器禁用javascript,或者通过像 Greasemonkey 脚本这样的东西修改客户端 JavaScript。
In general, you always should do server-side data valdation. This ensures you protect your server from maliciously forged requests, you datastore from entering invalid data (as far as the db doesn't take care of that itself). If you like to use a tool or framework for server-side input validation, like described in the article linked by you, that is up to you.
Client-side validation, with for example javascript, is useful too, but for a different reason: it allows you to give helpful info to the user before submitting the data.
So it is not a matter of either/or, more of and/and. You are not actually doing any double work here. Client-side and server-side validation simply serve a different purpose (respectively, enhancing usability for the user and guarding logic and security of your service).
It is possible that the server and client side validations are governed by the same business logic (for example, for a zip code, you could use the same regex to check and reject input at both server side and client side). In this case you have a challenge of synchronizing both validation layers (which can be done by generating the page + javascript logic from the same business logic model as the server-side service code).
If you still feel you are doing double work, then choose to do server-side validation. (You can of course still use this to inform the client, but it will take a response to do so.) Client side validation does not offer any protection, as a client can simply manually forge a request, or, from tthe browser, disable javascript, or modify the client side javascript trhough something like a greasemonkey script.
用户可以关闭 JavaScript,在这种情况下您的验证例程将无法工作。法律上最好在前端和服务器上都进行验证。
A user can have JavaScript switched off in which case your validation routines will not be able to work. It is lawys best to do validation both at the front end as well as the server.
我从未使用过 ASP,但据我猜测 ValidationServerControls 是开箱即用的控件,它为您提供服务器端验证和客户端验证。 (我可能是错的)。
但据我了解,组件的服务器端验证始终是必需的;因为在 javascript 中添加验证是不够的。客户端始终可以禁用 javascript 并提交内容,或使用复杂的工具(例如curl 等)向可能包含数据的服务器发布请求;这可能会在您的代码/sql 中进行注入。
即使你编写了 javascript 验证;您必须以一种或另一种方式始终编写服务器代码来验证传入的数据。
理想的方法是同时拥有
1.在javascript中验证数据;以便在数据输入无效的情况下限制对服务器的请求。
2.服务器端验证。如果 JavaScript 被禁用并且数据发布到服务器。
I have never worked on ASP but from what I am guessing ValidationServerControls are out of the box controls which give you server side validation as well as client side validation. (I may be wrong).
But from what I understand, Server side validation of the components is always a requisite; as putting a validation in javascript is never sufficient. A client can always disable javascript and submit content or use sophisticated tools like curl etc. to post request to server which may contain data; that may do injection in your code/sql.
Even if you write javascript validations; you must in one way or other always write server code to validate incoming data.
Ideal approach would be to have both
1. Validate data in javascript; so that requests to server are limited in case of invalid data input.
2. Server side validation. in case javascript is disabled and data post is made to server.