如果要验证客户端，是否应该验证服务器端? [英] Should you validate server side if you're validating client side?

问题描述

我还应该补充一点，我问的是mysql扩展名.我知道应该使用mysqli或PDO.如果我使用 jQuery验证来验证客户端(例如电子邮件)，我应该也可以在服务器端使用它(确保它不是空白并且是有效的电子邮件)?

I should also add that I'm asking with the mysql extension in mind. I know that mysqli or PDO should be used. If I'm using jQuery Validationto validate client side (such as an email perhaps), should I also do it server side (make sure it's not blank and is a valid email)?

我只是想知道我是否只是通过不验证服务器端而对跨站点脚本漏洞或SQL注入或其他任何事情开放自己，或者只要我采取安全措施就可以了吗?提交表单数据时.

I'm just wondering if I'm opening myself up to Cross-site scripting vulnerabilities or SQL injections or anything else for that matter by simply not validating server side or will I be okay as long as I'm taking security measures when form data is being submitted.

推荐答案

是是始终是.永远不要相信来自浏览器的任何东西.

YES YES always YES. Never trust anything that comes from the browser.

在最温和的情况下，如果他们禁用了Java脚本怎么办?

In the most benign case, what if they had Javascript disabled?

对于一个更加曲折的情况，如果他们使用curl之类的方式手动发布数据该怎么办?

For a more devious case, what if they were manually posting the data with something like curl?

这篇关于如果要验证客户端，是否应该验证服务器端?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！