On Tue, 20 Jan 2004, Thomas Stivers wrote: > While I agree with you personally, you are never going to convince most > web developers to use server-side solutions for things like data > verification because its more expensive in terms of bandwidth and > processor time. If John Q. Public puts bad data in a form it makes more > sense to produce an error before form submition than to have two > unnecessary http transfers. You have a good point... I worked on a contract a while ago, and the developer used javascript for all his input validation... I warned him about the insecurity of trusting the data coming from the browser, but I was laughed down... I took 10 minutes, rewrote the form, put in what I wanted, and "mined" all his data. As far as I know, he still has not fixed the security problem... In fact, there are lots of web sites that rely on javascript, and it is a relatively simple matter to change the input to what ever you want... While it might be cool to hava clientside validation, I always validate everything on the server... kp
