struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Hanisch <mhani...@redhat.com>
Subject Re: Validation. When, where and what?
Date Tue, 18 Feb 2003 11:11:20 GMT
On Tue, 2003-02-18 at 11:44, Simon Kelly wrote:

Hi Simon!

> I am just trying to work out how far to go in the project I'm doing with
> certain aspects of struts and after reading the last couple of date format
> mails "validation", of which I currently use none [if you cant type the data
> in correctly, back away from the computer (l)user], has come up as one of
> those things to think about.
> 
> How far and how deep into the application should validation occur?  Now I
> can understand validation of the user input client side, that is only
> polite.  But what should be validated server side?
On the server side, you should always validate all user input (again,
even if you did it on the client side) to protect your application from
malicious code. And to avoid presenting nasty error pages to the user.

Of course, you also have to do validation on lower levels of your system
to ensure that no action that you perform puts the system into an
inconsistent state...

>  If I were to use
> multiple xml sources to generate a page (I use xslt not jsp) should I
> validate the xml structure of each source prior to generating the page?  If
> these files are very large (I would be looking at anything up to 4MB) this
> would be very time consuming. 
This is obviously a completely different kind of validation...
I don't know what kind of machine you are talking about, but even a pure
transformation of a 4MB document (on every request?!) sounds like a real
nightmare... So I would avoid validation at this step, especially if you
can control the process that generates those XML documents (see below).


> Should I validate the xslt page, as there is
> no point in calling it if it's just going to throw an error.
Are you generating your XSLTs on the fly or do you write them once?
If you develop them "by hand", then you should validate them just once
before deployment (this should be one step in your testing process
anyway...) No need to do this on every request.
 
> The xml sources will possibly be generated by dynamically formed xqueries to
> a database returning xml.  I know the xquery should be validated prior to
> sending to the db, but should the returned xml be validated before sending
> back up to the Action?
If the xqueries are generated dynamically, I'd validate them, especially
if they include user input. 
I don't know much about XQuery, but as I see it, if you have a (valid)
query which returns an XML document you have a guarantee that your XML
is at least well-formed. (validity is another story, but I don't know if
all your query results have the same schema or not).

> I am just asking incase anyone has any thoughts on this.  It's not a when to
> use it question, more of a when to stop using it.
I guess it depends on what you want to do. If we are talking about a
research project, it would probably be nice to explore on which levels
validation can be performed, and performance is not such a big deal.
For a "real", live site you'll be in trouble since just transforming XML
documents of that size will be slow...

Just my EUR 0.02...

	Michael.

-- 
Michael Hanisch                                      mhanisch@redhat.com
Red Hat - RH Interchange Inc., Orleansstrasse 4,  D-81669 Munich/Germany
phone: +49 (0)89 206058-53                      fax: +49 (0)89 206058-88

Mime
View raw message