你在哪里做验证？型号，控制器或视图 [英] Where do you do your validation? model, controller or view

问题描述

1. 查看：JavaScript客户端


2. 控制器：服务器端语言（C＃...）


3. 型号：数据库（存储过程或依赖项）

我认为每个级别都需要验证：

1. 用户是否输入了一个合理的值
   
   
   
   
   • 是日期实际日期，是实际数字...
   
   


2. 执行所有检查1.再次检查恶意攻击（IE XSS或SQL注入）
   
   
   
   
   • 1.中完成的检查主要是为了避免服务器往返行为当用户犯了错误。
   
   
   • 由于它们是在客户端完成的javascript，您不能相信他们已经运行了。再次验证这些值将会阻止一些恶意攻击。
   
   


3. 是否满足依赖关系（即，用户是否向有效的问题添加了评论）
   
   
   
   
   • 一个好的界面使这些很难违反。如果有东西被抓到这里，有些事情变得非常错误。
   
   

[灵感来自< a href =http://stackoverflow.com/questions/134253/how-many-of-you-do-3-tier-design#134300>此回复]

解决方案

我检查所有层次，但我想注意一下我使用的验证技巧。

我在数据库层进行验证，对模型的适当约束将提供自动数据完整性验证。

这是一种似乎在大多数Web程序员中丢失的艺术。

Where do you put user input validation in a web form application?

1. View: JavaScript client side
2. Controller: Server side language (C#...)
3. Model: Database (stored procedures or dependencies)

I think there is validation required by each level:

1. Did the user input a sane value
   • are dates actual dates, are numbers actualy numbers ...
2. Do all of the checks in 1. again plus checks for malicious attacks(IE XSS or SQL injection)
   • The checks done in 1. are mainly to avoid a server round trip when the user makes a mistake.
   • Since they are done on the client side in javascript, you can't trust that they were run. Validating these values again will stop some malicious attacks.
3. Are dependencies met (ie. did the user add a comment to a valid question)
   • A good interface makes these very hard to violate. If something is caught here, something went very wrong.

[inspired by this response]

解决方案

I check in all tiers, but I'd like to note a validation trick that I use.

I validate in the database layer, proper constraints on your model will provide automatic data integrity validation.

This is an art that seems to be lost on most web programmers.

这篇关于你在哪里做验证？型号，控制器或视图的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！