On 15 June 2011 12:15, simon haywood <[email protected]> wrote: > My question is, do I need to validate the input (for malicious attempts, > etc) or does the theyworkforyou back-end handle that? I'm aware that perhaps > it could be argued that I should simply validate anyway. However, I don't > want to re-invent the wheel, nor spend development time if the work has > already been done.
The guidance I've always been given, and pass on, is to validate where ever possible. The reasons behind this are: * The backend you're using today may validate but the one you're using next month might. * Rogue entry may exploit your code before it gets to the backend (e.g. buffer over run). * Saves network traffic (any link is only as quick as it's slowest step, yes we have fast connections these days but some of them are very busy, a 1TB link carrying 1TB of traffic is as busy as a 9600 baud one carrying 9600 baud worth of traffic). * Saves hitting someone else's systems with a query that is destined to fail. * If you're identified as a common source of rogue queries the owner of the backend may, quite justifiably, block your traffic. * Processor cycles are way cheaper (in terms of both time and cost to provide) than network packets. * Reduced risk of reputation loss, you don't want to be known as the owner/author of the site that nearly brought TheyWorkForYou (or another high profile site) down because of not validating data input. * It's a good habit to develop, if you get used to validating input when you possibly don't strictly need to then you're less likely to forget when you do need to. Regarding development time, I'd be surprised if you couldn't get a module/function/component someone has already written to validate a postcode. If you can't, you could write one and make it available! Write once, use often. Stephen -- It's better to ask a silly question than to make a silly assumption. http://stephensorablog.blogspot.com/ | http://www.linkedin.com/in/stephenboothuk | Skype: stephenbooth_uk Apparently I'm a "Eierlegende Woll-Milch-Sau", I think it was meant as a compliment. _______________________________________________ developers-public mailing list [email protected] https://secure.mysociety.org/admin/lists/mailman/listinfo/developers-public Unsubscribe: https://secure.mysociety.org/admin/lists/mailman/options/developers-public/archive%40mail-archive.com
