哪种验证类型更好？ [英] which validation type are better?

问题描述

大家好，



最近我读了关于常见正则表达式数据库验证的文章，如电子邮件，电话号码和URL等。



i想对这三个有一些看法，哪个更好？或哪种组合更好？使您的代码安全。



1）使用j Query，JavaScript进行客户端验证。

- >快速，UI可以使用j查询css正确管理

- >可以通过像burp这样的安全软件来破解

2）使用必需/正则表达式验证的服务器端验证

- >像工具一样打嗝有点安全。

- >如果我们在单个表格上有很多验证控制，那么可能会很重。

- >如果我们有很多验证/数据注释规则/其他自定义业务逻辑相关代码，代码可能会很长。

3）数据库验证

- >提供更多安全性

- >需要自定义错误处理设置来管理正确的用户界面

- >用户定义功能的一次性代码

- >每次都需要往返服务器。



现在，我们已经知道数据库已经基于列数据类型和类似唯一键等约束进行了某种验证，在这种情况下可以避免代码端直接验证和/或我们应该如何管理它？

Hi Guys,

Recently i read the article on database validation for common regular expression like email, phone number and URL etc.

i would like to get some opinion on these three, which is better? or which combination is better? to make your code secure.

1) client side validation using j Query,JavaScript.
-> fast , UI can be manage properly using j query css
-> can be break by security software like burp
2) server side validation using required / regular expression validation
-> somewhat secure to burp like tools.
-> can be heavy if we have lot of validation control on single form
-> code can be lengthy if we have lot of validation / data annotation rules / other custom business logic related code.
3) database validation
-> provide more security
-> require custom error handling setup to manage proper UI
-> one time code for user define function
-> every time requires a round trip to server.

Now, we already know that database already doing some kind of validation based on column datatype and constraint like unique key etc. in this case is it okay to avoid code side validation directly and / or how we should manage this?

推荐答案

更好是布尔运算符你仍需要对这组技术进行定义，但我怀疑你能做到。更好的是什么？它使你的问题无效。



所有类型的验证都有其重要性。在每种特定情况下，应使用它们的某些子集，范围从它们都不到所有它们。但是你已经建立了一套不太正确的技术。错误的是关于服务器端验证。您应该只编写服务器端验证。根据验证标准，您可能会也可能不会使用正则表达式或其他内容。顺便说一下，询问如何使用正则表达式来解决这个技术完全不合适的一些标准问题，这是我们经常在这个论坛上看到的典型错误之一。

-SA

"Better" is the Boolean operator you still have to define on the set of techniques, but I doubt you can do it. Better for what? It makes your question invalid.

All types of validation have its importance. In every specific case, certain subset of them should be used, ranging from "none of them" to "all of them". But you've built the set of techniques not quite correctly. The mistaken one is about the server-side validation. You should have written just "server-side validation". Depending on the validation criteria you may or may not use Regular Expression or something else. By the way, asking questions on how to use Regular Expression for some criteria where this technique it totally unsuitable is one of the typical mistakes we often see on this forum.

—SA

我认为技术的选择将取决于当前的背景和可能的预期未来背景。



根据上下文，我的意思是：



1.位置：数据库，用户，代码：高度安全的内联网/网络分享？开放网络受黑客攻击？等等



2.用户：有限，不太可能增加？负载会以不可预测的方式变化很大？可以肯定的是，负载会以可预测的方式增加，或者是不可预测的？从一开始就需要极端扩展吗？



3.代码和管理：可以预见的优秀？外包，也许是不规范的支持，监控？代码库/数据库受黑客攻击？需要最佳的工业安全程序？



4.硬件：用户的电脑，服务器硬件......容量，性能，可靠性。

I think the choice of techniques will depend on the current context, and the "probable anticipated future" context(s).

By context, I mean:

1. location: of database, users, code: highly-secured intranet / network share ? open network subject to hacking ? etc.

2. users: limited, unlikely to increase ? load will vary greatly in an unpredictable way ? it is certain the load will increase predictably, or unpredictably ? extreme scaling required from the start ?

3. code and administration: predictably excellent ? outsourced and perhaps irregular support, monitoring ? code-base/database subject to hacking ? best-in-breed industrial security procedures required ?

4. hardware: users' pc's, server hardware ... capacity, performance, reliability.

这篇关于哪种验证类型更好？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！