Saturday, November 15, 2008

Server-side vs Client-side validation for ASP.NET web applications

What is validation?
In HTML 'Validation' is not a process, it is merely a concept. HTML simply offers client-side scripting and form-posting. With the web page disconnected, nothing will happen server side until the form is posted - after that nothing more can happen client side until a new web page (response) is received.
Client-side validation
Client-side scripting must occur before server-side scripting. 'Validation' then is a function of our code.
If our code uses client side scripting to validate, it must happen before the form post, if we use server side code to validate it must happen after the form post.
This obviously gives the option of using the client side scripting to cancel the form post if our validation routine is not satisfied.
In .Net Microsoft offered a wizard to generate validation scripts (the validation controls), but this merely generates code as explained above.
Client-side validation is fundamentally flawed in that the 'client' which, strictly speaking is outside the applications control, is detailing whether something is acceptable or not. So, for example, the user might have a browser that does not fully support JavaScript and invalid data might be returned as valid. For this reason it is always recommended to use server side validation.
Server-side validation
Server side validation on the other hand can be very frustrating and with unexpected results. A user can submit a form, wait for long time for it to be processed, only to be told that it is invalid. For this reason we add client side validation to check the form before it is submitted, merely to enhance userability.