> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Clark Morris > Sent: Tuesday, April 01, 2008 7:36 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Validation on client side was Re: IBMLink, again > > > On 29 Mar 2008 17:33:40 -0700, in bit.listserv.ibm-main you wrote: > > >On 29/03/2008, Paul Gilmartin <[EMAIL PROTECTED]> wrote: > > > >> There's a thread ongoing in MVS-OE on CGI security. The first > >> principle is: don't trust data received over the network. The > >> second is: don't trust Javascript validation on the client side. > >> Always remember that your potential adversary controls the client. > > > >There's a recent thread on Bruce Schneier's blog on The Security > >Mindset. > >http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html > >Somehow it seems that people either think this way or they > don't. That > >anyone in 2008 could consider for a moment doing validation of > >anything important on the client side is astonishing. > > To save hassle to the person at the keyboard, I would > validate what I can on the client side and revalidate with > paranoia on the server. This is to cut down on the number of > transmissions. > > Clark Morris
This is what I do. I use Javascript on the client side simply as a "favor" to the user so that they can have errors detected earlier. On the server side, I trust nothing coming in from the client. Everything is validated. Even if I "know for dead certain sure" that the value cannot be wrong. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html