Client-side validation just avoids the client from going "but I filled this all in and it didn't tell me anything!". It's not actuallymandatory, and in reality, client-side validation is a very new thing (read: 5 years old or less). In practice, all it does is prevent your client (with JS enabled) to know whether the form is okay before reloading a page. If AJAX is in the game, it is different - it allows you to save bandwidth as well as to provide user with feedback before submission. Finally, if you're building strictly client-side, peer-to-peer exchange apps (think games), you'll want client-side validation to keep the clients from cheating.

客户端验证只是避免客户端“但我全部填写了它，它没有告诉我任何事情！”。它实际上不是强制性的，实际上，客户端验证是一个非常新的东西（阅读：5 年或更短）。实际上，它所做的只是阻止您的客户端（启用了 JS）在重新加载页面之前知道表单是否正常。如果 AJAX 在游戏中，则不同——它允许您节省带宽以及在提交之前向用户提供反馈。最后，如果您正在构建严格的客户端、点对点交换应用程序（想想游戏），您将需要客户端验证以防止客户端作弊。

Server-side validation is also crucial due to the fact that client-side validation can be completely bypassed by turning off JavaScript. In a way, JS-driven validation is a convenience and an aesthetic/cosmetic improvement and should notbe relied upon. Furthermore, it is trivial to edit the source of a page locally in order to disable or bypass even the most complex of JS validation.

服务器端验证也很重要，因为可以通过关闭 JavaScript 完全绕过客户端验证。在某种程度上，JS-驱动验证是一种方便和美学/化妆品的改进和应该不被依赖。此外，为了禁用或绕过最复杂的 JS 验证，在本地编辑页面源是微不足道的。

What could a user do if you do not server-side validate? Anything, depending on how you use their data. You could be allowing users to drop entire databases (or worse, leak them), modify anything they like (or worse, read anything they like. Directory traversal flaws are extremely common entrance points for naughty people), and elevate their privileges at will. Do you want to run this risk? Not validating user input is like trusting people and not installing locks on your house.

如果您不进行服务器端验证，用户可以做什么？任何事情，取决于您如何使用他们的数据。你可以允许用户删除整个数据库（或者更糟的是，泄露它们），修改他们喜欢的任何东西（或者更糟的是，阅读他们喜欢的任何东西。目录遍历缺陷是顽皮的人非常常见的入口点），并随意提升他们的特权。你想冒这个险吗？不验证用户输入就像信任别人而不是在你的房子上安装锁。

Validationshould always be performed server-side - you can never trust client-side validation.

验证应始终在服务器端执行 - 您永远不能信任客户端验证。

Client-side validationis always in the sense of providing a better User Experience (UX), so the user doesn't have to submit and reload a page simply because a value in a form isn't valid - it makes things more dynamic.

客户端验证总是在提供更好的用户体验 (UX) 的意义上，因此用户不必仅仅因为表单中的值无效而提交和重新加载页面 - 它使事情变得更加动态。

As you don't even need a browser to make requests, independently of your website relying on JS to work properly, you will need server-side validation and sanitize all user input in case you care about not having your databases pwned.

由于您甚至不需要浏览器来发出请求，独立于您的网站依赖 JS 正常工作，您将需要服务器端验证并清理所有用户输入，以防您担心数据库不被盗用。

Now it is up to you whether you want to provide an UI with dynamic client-side validation hints or not.

现在由您决定是否要提供带有动态客户端验证提示的 UI。

Always protect your inputs on the server. It's not always about users having JavaScript disabled but also that they could break the server.

始终保护您在服务器上的输入。这并不总是关于禁用 JavaScript 的用户，而且他们可能会破坏服务器。

For example, if a site has a JavaScript max-length check on an <input>, a user can could disable that check, thereby sending more data than your server and/or database is expecting. This could overload the server by a large POST occupying a server thread for a long time, it could expose a weakness in the database for example violating a database constraint potentially exposing details about any persistence information. Worse, if there is no constraint a user might be able to perform injection attacks.

例如，如果站点对 进行了 JavaScript 最大长度检查<input>，则用户可以禁用该检查，从而发送比您的服务器和/或数据库预期更多的数据。这可能会通过长时间占用服务器线程的大型 POST 使服务器过载，它可能会暴露数据库中的弱点，例如违反数据库约束可能会暴露有关任何持久性信息的详细信息。更糟糕的是，如果没有限制，用户可能能够执行注入攻击。

Another example is someone using an external HTTP tool to send requests to your server, completely bypassing any JavaScript. I use the Advanced REST Clientfor Chrome all the time in development for testing JSON APIs.

另一个例子是有人使用外部 HTTP 工具向您的服务器发送请求，完全绕过任何 JavaScript。我在开发过程中一直使用Advanced REST Clientfor Chrome 来测试 JSON API。

Client side validation through JavaScript is just a way of providing a quickerfeedback to a person using the site of any information about their interaction with the site. In traditional client-server communication it should notbe the only validation for the reasons outlined above.

通过 JavaScript 进行客户端验证只是向使用站点的人提供有关他们与站点交互的任何信息的更快反馈的一种方式。在传统的客户端-服务器通信中，由于上述原因，它不应该是唯一的验证。

If a user has disabled javascript is a problem of himself and he decided alone to disable the javascript for a reason... For that, when you making a website you must have always in mind that your web site must be valid for users with and without javascript. The both side validation is needed for a number of reasons, some of them are:

如果用户禁用了 javascript 是他自己的问题，而他出于某种原因决定单独禁用 javascript...为此，当您制作网站时，您必须始终牢记您的网站必须对拥有和没有javascript。需要双方验证的原因有很多，其中一些是：

• User has disabled javascript
• An evil user in purpose has removed the javascript in order to exploit the system
• With javascript validation you reducing the data traffic between the website and the client.
• And of course with server validation you make sure once for all that the data are correct

• 用户已禁用 javascript
• 恶意用户故意删除了 javascript 以利用系统
• 通过 javascript 验证，您可以减少网站和客户端之间的数据流量。
• 当然，通过服务器验证，您可以一劳永逸地确保数据正确

It is possible to have a website that is using both javascript and "older" technologies to be valid for every user and every browser.

有可能同时使用 javascript 和“旧”技术的网站对每个用户和每个浏览器都有效。

Client-side validation is a solution for highly interactive forms with on-the-fly field validation, but it will not prevent a ill-intentioned user from injecting and posting invalid formatted data to the server. It is important that your server-side script validates everything the user is doing, otherwise you will expose your site to SQL injection attacks, XSS attacks, users doing stuff they are not supposed to etc.

客户端验证是具有即时字段验证的高度交互表单的解决方案，但它不会阻止恶意用户将无效的格式化数据注入和发布到服务器。重要的是您的服务器端脚本验证用户正在做的一切，否则您的站点将暴露于 SQL 注入攻击、XSS 攻击、用户做他们不应该做的事情等。