273  

As others have said, you should do both. Here's why:

正如其他人所说，你应该同时做这两件事。原因如下:

Client Side

You want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form.

您希望首先在客户端验证输入，因为您可以向普通用户提供更好的反馈。例如，如果他们输入一个无效的电子邮件地址并移动到下一个字段，您可以立即显示一条错误消息。这样，用户可以在提交表单之前修改每个字段。

If you only validate on the server, they have to submit the form, get an error message, and try to hunt down the problem.

如果您只在服务器上进行验证，那么他们必须提交表单，获得一条错误消息，并尝试查找问题。

(This pain can be eased by having the server re-render the form with the user's original input filled in, but client-side validation is still faster.)

(这种痛苦可以通过让服务器重新呈现表单并填写用户的原始输入来减轻，但客户端验证仍然更快。)

Server Side

You want to validate on the server side because you can protect against the malicious user, who can easily bypass your JavaScript and submit dangerous input to the server.

您希望在服务器端进行验证，因为您可以防止恶意用户，他们可以轻松地绕过您的JavaScript并向服务器提交危险的输入。

It is very dangerous to trust your UI. Not only can they abuse your UI, but they may not be using your UI at all, or even a browser. What if the user manually edits the URL, or runs their own Javascript, or tweaks their HTTP requests with another tool? What if they send custom HTTP requests from curl or from a script, for example?

信任你的UI是非常危险的。他们不仅会滥用你的UI，还可能根本不会使用你的UI，甚至浏览器。如果用户手工编辑URL，或者运行自己的Javascript，或者使用另一个工具修改HTTP请求，该怎么办?例如，如果他们从curl或脚本中发送定制的HTTP请求，会怎么样呢?

(This is not theoretical; eg, I worked on a travel search engine that re-submitted the user's search to many airlines, bus companies, etc, by sending POST requests as if the user had filled each company's search form, then gathered and sorted all the results. Those companies' form JS was never executed, and it was crucial for us that they provide error messages in the returned HTML. Of course, an API would have been nice, but this was what we had to do.)

(这不是理论;我曾在一个旅游搜索引擎上工作，该引擎将用户的搜索结果重新提交给许多航空公司、巴士公司等，通过发送邮件请求，就好像用户填写了每个公司的搜索表单，然后收集并整理所有结果。这些公司的form JS从未执行过，对我们来说，在返回的HTML中提供错误消息是至关重要的。当然，API是不错的，但这正是我们要做的。

Not allowing for that is not only naive from a security standpoint, but also non-standard: a client should be allowed to send HTTP by whatever means they wish, and you should respond correctly. That includes validation.

不允许这样做不仅从安全性的角度来说是幼稚的，而且也是不标准的:应该允许客户端以他们希望的任何方式发送HTTP，并且您应该正确地响应。包括验证。

Server side validation is also important for compatibility - not all users, even if they're using a browser, will have JavaScript enabled.

服务器端验证对于兼容性也很重要——不是所有用户，即使他们使用浏览器，也会启用JavaScript。

Addendum - December 2016

There are some validations that can't even be properly done in server-side application code, and are utterly impossible in client-side code, because they depend on the current state of the database. For example, "nobody else has registered that username", or "the blog post you're commenting on still exists", or "no existing reservation overlaps the dates you requested", or "your account balance still has enough to cover that purchase." Only the database can reliably validate data which depends on related data. Developers regularly screw this up, but PostgreSQL provides some good solutions.

有些验证甚至不能在服务器端应用程序代码中正确地完成，在客户端代码中完全不可能，因为它们依赖于数据库的当前状态。例如，“没有其他人注册过这个用户名”，或者“你评论的博客文章仍然存在”，或者“没有现有的预订与你请求的日期重叠”，或者“你的账户余额仍然足以支付你的购买”。只有数据库才能可靠地验证依赖于相关数据的数据。开发人员经常搞砸这个问题，但是PostgreSQL提供了一些很好的解决方案。

74  

Yes, client side validation can be totally bypassed, always. You need to do both, client side to provide a better user experience, and server side to be sure that the input you get is actually validated and not just supposedly validated by the client.

是的，客户端验证总是可以完全忽略的。您需要同时做这两件事，客户端来提供更好的用户体验，服务器端来确保您得到的输入实际上是经过验证的，而不仅仅是假定由客户端进行验证。

35  

I am just going to repeat it, because it is quite important:

我要重复一遍，因为这很重要:

Always validate on the server

始终在服务器上验证

and add JavaScript for user-responsiveness.

并添加用于用户响应的JavaScript。

30  

The benefit of doing server side validation over client side validation is that client side validation can be bypassed/manipulated:

与客户端验证相比，执行服务器端验证的好处是可以绕过/操作客户端验证:

• The end user could have javascript switched off
• 最终用户可以关闭javascript
• The data could be sent directly to your server by someone who's not even using your site, with a custom app designed to do so
• 这些数据可以直接发送到你的服务器上，而这些人甚至没有使用你的网站，而定制的应用程序就是这样做的。
• A Javascript error on your page (caused by any number of things) could result in some, but not all, of your validation running
• 页面上的Javascript错误(由许多事情引起)可能会导致一些(但不是全部)验证运行

In short - always, always validate server-side and then consider client-side validation as an added "extra" to enhance the end user experience.

简而言之——始终验证服务器端，然后将客户端验证视为附加的“额外”，以增强最终用户体验。

17  

You must always validate on the server.

您必须始终在服务器上进行验证。

Also having validation on the client is nice for users, but is utterly insecure.

对客户端进行验证对用户来说也很好，但是完全不安全。

8  

You can do Server side validation and send back a JSON object with the validation results for each field, keeping client Javascript to a minimum (just displaying results) and still having a user friendly experience without having to repeat yourself on both client and server.

您可以执行服务器端验证并将每个字段的验证结果发送回一个JSON对象，将客户端Javascript保持在最小(仅显示结果)，并且仍然具有用户友好体验，而不必在客户端和服务器上重复自己的操作。

6  

Well, I still find some room to answer.

好吧，我还是有空间回答。

In addition to answers from Rob and Nathan, I would add that having client-side validations matters. When you are applying validations on your webforms you must follow these guidelines:

除了Rob和Nathan的回答之外，我还要补充一点，客户端验证很重要。当您在您的web窗体上应用验证时，您必须遵循以下准则:

Client-Side

1. Must use client-side validations in order to filter genuine requests coming from genuine users at your website.
2. 必须使用客户端验证来过滤来自真实用户的真实请求。
3. The client-side validation should be used to reduce the errors that might occure during server side processing.
4. 客户端验证应该用于减少服务器端处理过程中可能出现的错误。
5. Client-side validation should be used to minimize the server-side round-trips so that you save bandwidth and the requests per user.
6. 客户端验证应该用于最小化服务器端往返，以节省每个用户的带宽和请求。

Server-Side

1. You SHOULD NOT assume the validation successfully done at client side is 100% perfect. No matter even if it serves less than 50 users. You never know which of your user/emplyee turn into an "evil" and do some harmful activity knowing you dont have proper validations in place.
2. 您不应该假设在客户端成功完成的验证是100%完美的。即使服务的用户少于50人也没关系。你永远不知道你的用户或用户中谁会变成“邪恶的”，并做一些有害的活动，而你却不知道你没有适当的验证。
3. Even if its perfect in terms of validating email address, phone numbers or checking some valid inputs it might contain very harmful data. Which needs to be filtered at server-side no matter if its correct or incorrect.
4. 即使它在验证电子邮件地址、电话号码或检查一些有效的输入方面是完美的，它也可能包含非常有害的数据。无论服务器端是否正确，都需要对其进行筛选。
5. If client-side validation is bypassed, your server-side validations comes to rescue you from any potential damage to your server-side processing. In recent times, we have already heard lot of stories of SQL Injections and other sort of techniques that might be applied in order to gain some evil benefits.
6. 如果忽略了客户端验证，服务器端验证将帮助您避免对服务器端处理的任何潜在损害。最近，我们已经听说了许多SQL注入和其他技术的故事，这些技术可能是为了获得一些邪恶的好处而应用的。

Both types of validations play important roles in their respective scope but the most strongest is the server-side. If you receive 10k users at a single point of time then you would definitely end up filtering the number of requests coming to your webserver. If you find there was a single mistake like invalid email address then they post back the form again and ask your user to correct it which will definitely eat your server resources and bandwidth. So better you apply javascript validation. If javascript is disabled then your server side validation will come to rescue and i bet only a few users might have accidentlly disable it since 99.99% of websites use javascript and its already enabled by default in all modern browsers.

这两种类型的验证在各自的范围中都扮演着重要的角色，但最强大的是服务器端。如果你在一个时间点收到10k用户，那么你肯定会过滤掉到你的网络服务器的请求数。如果您发现有一个错误，比如无效的电子邮件地址，那么他们会再次返回表单并要求您的用户更正它，这肯定会消耗您的服务器资源和带宽。所以最好应用javascript验证。如果禁用了javascript，那么服务器端验证就可以派上用场了，我敢打赌只有少数用户可能会不小心禁用它，因为99.99%的网站都使用javascript，而且在所有现代浏览器中都默认启用了javascript。

4  

Client side should use a basic validation via HTML5 input types and pattern attributes and as these are only used for progressive enhancements for better user experience (Even if they are not supported on < IE9 and safari, but we don't rely on them). But the main validation should happen on the server side..

客户端应该使用HTML5输入类型和模式属性的基本验证，因为这些只用于改进用户体验(即使它们不支持< IE9和safari，但我们不依赖它们)。但是主要的验证应该发生在服务器端。

2  

I will suggest to implement both client and server validation it keeps project more secure......if i have to choose one i will go with server side validation.

我建议实现客户端和服务器验证，使项目更加安全…如果我必须选择一个，我将使用服务器端验证。

You can find some relevant information here http://www.webexpertlabs.com/server-side-form-validation-using-regular-expression/

您可以在这里找到一些相关信息http://www.webexpertlabs.com/server-side- valids-using-regular -expression/

1  

JavaScript can be modified at runtime.

可以在运行时修改JavaScript。

I suggest a pattern of creating a validation structure on the server, and sharing this with the client.

我建议在服务器上创建一个验证结构，并与客户机共享该结构的模式。

You'll need separate validation logic on both ends, ex:

您需要在两端分别使用验证逻辑，例如:

"required" attributes on inputs client-side

客户端输入的“必需”属性

field.length > 0 server-side.

字段。服务器端长度> 0。

But using the same validation specification will eliminate some redundancy (and mistakes) of mirroring validation on both ends.

但是，使用相同的验证规范将消除对两端的镜像验证的一些冗余(和错误)。

0  

I came across an interesting link that make a distinction between gross, systematic, random errors.

我发现了一个有趣的联系，它区分了严重的、系统的、随机的错误。

Client-Side validation suits perfectly for preventing gross and random errors. Typically a max length for texture and input. Do not mimic the server-side validation rule; provide your own gross, rule of thumb validation rule (ex. 200 characters on client-side; n on server-side dictated by a strong business rule).

客户端验证非常适合防止严重和随机错误。通常是纹理和输入的最大长度。不要模仿服务器端验证规则;提供您自己的大体经验验证规则(例如客户端上的200个字符);在服务器端由强大的业务规则决定。

Server-side validation suits perfectly for preventing systematic errors; it will enforce business rules.

服务器端验证非常适合防止系统错误;它将强制执行业务规则。

In a project I'm involved in, the validation is done on the server through ajax requests. On the client I display error messages accordingly.

在我参与的一个项目中，验证是通过ajax请求在服务器上完成的。在客户机上，我相应地显示错误消息。

Further reading: gross, systematic, random errors:

进一步阅读:严重的、系统的、随机的错误:

https://answers.yahoo.com/question/index?qid=20080918203131AAEt6GO

https://answers.yahoo.com/question/index?qid=20080918203131AAEt6GO

-2  

If you are doing light validation, it is best to do it on the client. It will save the network traffic which will help your server perform better. If if it complicated validation that involves pulling data from a database or something, like passwords, then it best to do it on the server where the data can be securely checked.

如果您正在进行轻度验证，最好在客户机上进行。它将节省网络流量，这将帮助您的服务器更好地执行。如果复杂的验证涉及从数据库或诸如密码之类的东西中提取数据，那么最好在可以安全地检查数据的服务器上进行。