没有脚本标记与服务器端验证?

this is a question that hasn't directly been asked yet..
I develop for a company which serves millions of web customers per year. Many of our web applications were written years ago (and with bad practice) that relies entirely on java-script for the pages to work, most notably web form validation.

Recently, we've been implementing noscript tags to re-direct users to an error page if they don't use javascript.
I am having trouble convincing anyone why server validation should occur alongside client validation instead of using noscript given 99% of users now have javascript enabled browsers.

Plus, adding in an opening and closing tag and a re-direct can be developed in 5 seconds whereas server validation requires a lot more time and money.
What're your thoughts??
What is the real advantage of server validation if we now have noscript besides the 1% of users who will just have to enable their scripting?

#0

You should always do server-side validation. Period. No question. You should never rely on the client to validation. Suppose a bot or something else makes the POSTs both bypassing the JavaScript and the noscript tags. One thing not having server side validation is that it open up sql injection attacks as well.

#1

Server validation cannot be disabled or bypassed by clients, whereas client side validation can.

Is this an issue for you? If it's open to the public on non protected computers, I would be astounded if it isn't an issue. If you only rely on JavaScript validation then if someone unscrupulous bypasses this (which is easy to do) does that cause:

  • security risks
  • data integrity risks
  • reputation risks
  • financial risks

to your client.

If it does, then you need server side validation asap, before someone attacks your site.

#2

Notes/Suggestions:

  • Log the amount of people who hit the noscript page. Using this data, you can give a potential value for revenue not gained because of a lack of server-side validation. Bosses are usually fluent in the language of money.
  • Potential SQL injection and other security issues are also very problematic. You should at least clean your values from your form, even if you don't validate them.
  • Data integtrity could be compromised. Sometimes your scripts might fail, but they'll pass the noscript check. Without server-side validation, the data has less of a guarantee to be what it should.
  • Not supporting JavaScript just looks bad for something this simple. It's honestly a reputation risk.

#3

If some one purposefully try to break your syststem/website and disable javascript and enter some script and sql injection things. Only by server side validation you can block it. Its very needed as per my understanding

#4

You need not be a PRO to bypass the Javascript validation with tools like Firebug. If you do not add Server side validation, your data integrity is at risk which in turn would cause problems not only to your company but also to your clients. The reputation of your company is at stake here (Should an attack occur , a reason/answer given to your clients, like "We did not have Server side validation" would be really embarrassing to say the least as it is a common practice to add server side validation).