RNIB Web access seminars
Oh hell!
I missed this when it came up - was going through an incredibly busy spell back then. But since this sits here for anyone to come and read, I'm going to address it now, even though it's 2 years old.
It was, I think, in one of the seminars that I ran, that I discussed this issue of client-side vs server-side validation.
I did NOT suggest passing stuff through to server-side processing purely on the basis of setting a flag client-side. Despite what some of you seem to think about RNIB's web access team, we're not that clueless!
What I suggested was, first, that form validation should ideally be carried out server-side. Then second, if one really wanted to use client-side validation, you needed to consider how to handle form submissions from people using a non-JavaScript browser or one where JavaScript has been switched off for whatever reason. The most often raised concern about using server-side validation is the additional load that might place on web servers on high volume sites.
So I then suggested the possibility of using a flag to indicate to the server-side script receiving the form submission that some client-side validation had already taken place. I thought I made it clear, though at this far remove from the actual event I'll accept the possibility that I didn't, that the idea was to bypass some of the server-side validation processes, and thus minimise the impact on server loading, but I'm sure I said "and pass the submission directly to the security processes in place on the server", or something similar.
I was not advocating simply passing stuff through to the innards of your server-side processes without ensuring that it doesn't contain anything malicious!!!!!
Would have been nice if JohnG had spoken up with his concern during the seminar itself so I could have addressed it then, or at least emailed us to let us know about this post at the time. Oh well...
Share: 