验证服务器控件是否比 JavaScript 更好?

发布于 2024-08-16 02:14:38 字数 90 浏览 7 评论 0原文

验证服务器控件是否比 javascript 更好?他们是否限制我们,因为我们只能使用他们提供的功能。请帮我解决这个问题。我在自己的博客上读到了有关验证服务器控件的内容

Are validation server controls better than javascript in any way ? Do they restrict us as we are only able to use the functionality that is provided by them. Please help me on this. I read about validation server controls on my own blog

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

流年已逝 2024-08-23 02:14:38

最好在客户端和服务器上都使用验证:

  • 在客户端上进行验证可以提供即时反馈,而无需不断往返于服务器。这带来了更好的用户体验。
  • 需要在服务器上进行验证,以确保您不会得到错误的数据。毕竟,恶意用户可以轻松地将数据发布到您的服务器,而无需经过客户端验证。

现在,至于如何实现该验证 - 如果内置“工具包”控件为您执行适当的验证,那么这显然比编写自己的验证代码更简单。 ASP.NET 验证器为您执行客户端和服务器端验证。来自 BaseValidator 的文档

验证控件始终验证
相关的输入控件
服务器。验证控件也有
完整的客户端实现
允许启用脚本的浏览器
(例如 Microsoft Internet Explorer
版本 4.0 及更高版本)执行
在客户端进行验证。客户端
验证增强验证
之前检查用户输入的过程
它被发送到服务器。这允许
在客户端检测到的错误
在提交表格之前,避免
信息的往返
服务器端验证所必需的。

It's best to use validation on both the client and the server:

  • Validating on the client gives instant feedback without constant roundtrips to the server. This makes for a better user experience.
  • Validating on the server is required to make sure you don't get bad data. After all, a malicious user could easily post data to your server without going through your client-side validation.

Now, as for how you implement that validation - if built-in "toolkit" controls perform appropriate validation for you, that's obviously going to be simpler than writing your own validation code. ASP.NET validators do both client- and server-side validation for you. From the docs for BaseValidator:

Validation controls always validate
the associated input control on the
server. Validation controls also have
complete client-side implementation
that allows script-enabled browsers
(such as Microsoft Internet Explorer
version 4.0 and later) to perform
validation on the client. Client-side
validation enhances the validation
process by checking user input before
it is sent to the server. This allows
errors to be detected on the client
before the form is submitted, avoiding
the round trip of information
necessary for server-side validation.

花海 2024-08-23 02:14:38

一般来说,您始终应该进行服务器端数据验证。这可以确保您保护您的服务器免受恶意伪造的请求,保护您的数据存储免受输入无效数据(只要数据库本身不处理)。如果您喜欢使用服务器端输入验证的工具或框架(如您链接的文章中所述),则由您决定。

客户端验证(例如使用 JavaScript)也很有用,但原因不同:它允许您在提交数据之前向用户提供有用的信息。

所以这不是非此即彼的问题,而是和/和的问题。你实际上并没有在这里做任何双重工作。客户端和服务器端验证只是服务于不同的目的(分别增强用户的可用性并保护服务的逻辑和安全性)。

服务器端和客户端验证可能由相同的业务逻辑控制(例如,对于邮政编码,您可以使用相同的正则表达式来检查和拒绝服务器端和客户端的输入)。在这种情况下,您面临同步两个验证层的挑战(这可以通过从与服务器端服务代码相同的业务逻辑模型生成页面+ JavaScript 逻辑来完成)。

如果您仍然觉得自己在做双重工作,那么选择进行服务器端验证。 (当然,您仍然可以使用它来通知客户端,但这样做需要响应。)客户端验证不提供任何保护,因为客户端可以简单地手动伪造请求,或者从浏览器禁用javascript,或者通过像 Greasemonkey 脚本这样的东西修改客户端 JavaScript。

In general, you always should do server-side data valdation. This ensures you protect your server from maliciously forged requests, you datastore from entering invalid data (as far as the db doesn't take care of that itself). If you like to use a tool or framework for server-side input validation, like described in the article linked by you, that is up to you.

Client-side validation, with for example javascript, is useful too, but for a different reason: it allows you to give helpful info to the user before submitting the data.

So it is not a matter of either/or, more of and/and. You are not actually doing any double work here. Client-side and server-side validation simply serve a different purpose (respectively, enhancing usability for the user and guarding logic and security of your service).

It is possible that the server and client side validations are governed by the same business logic (for example, for a zip code, you could use the same regex to check and reject input at both server side and client side). In this case you have a challenge of synchronizing both validation layers (which can be done by generating the page + javascript logic from the same business logic model as the server-side service code).

If you still feel you are doing double work, then choose to do server-side validation. (You can of course still use this to inform the client, but it will take a response to do so.) Client side validation does not offer any protection, as a client can simply manually forge a request, or, from tthe browser, disable javascript, or modify the client side javascript trhough something like a greasemonkey script.

樱&纷飞 2024-08-23 02:14:38

用户可以关闭 JavaScript,在这种情况下您的验证例程将无法工作。法律上最好在前端和服务器上都进行验证。

A user can have JavaScript switched off in which case your validation routines will not be able to work. It is lawys best to do validation both at the front end as well as the server.

九公里浅绿 2024-08-23 02:14:38

我从未使用过 ASP,但据我猜测 ValidationServerControls 是开箱即用的控件,它为您提供服务器端验证和客户端验证。 (我可能是错的)。
但据我了解,组件的服务器端验证始终是必需的;因为在 javascript 中添加验证是不够的。客户端始终可以禁用 javascript 并提交内容,或使用复杂的工具(例如curl 等)向可能包含数据的服务器发布请求;这可能会在您的代码/sql 中进行注入。

即使你编写了 javascript 验证;您必须以一种或另一种方式始终编写服务器代码来验证传入的数据。

理想的方法是同时拥有
1.在javascript中验证数据;以便在数据输入无效的情况下限制对服务器的请求。
2.服务器端验证。如果 JavaScript 被禁用并且数据发布到服务器。

I have never worked on ASP but from what I am guessing ValidationServerControls are out of the box controls which give you server side validation as well as client side validation. (I may be wrong).
But from what I understand, Server side validation of the components is always a requisite; as putting a validation in javascript is never sufficient. A client can always disable javascript and submit content or use sophisticated tools like curl etc. to post request to server which may contain data; that may do injection in your code/sql.

Even if you write javascript validations; you must in one way or other always write server code to validate incoming data.

Ideal approach would be to have both
1. Validate data in javascript; so that requests to server are limited in case of invalid data input.
2. Server side validation. in case javascript is disabled and data post is made to server.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文