Why client-side verification is bad

Sure, we can all poke fun at them for being stupid programmers. Multi-billion dollar company and they don't even know how to do server-side verification? LOL, we're so much better than they are!<p>But think about it for a moment. Assuming the ideal product would have both client + server verification, it's clearly less work to only do client-side verification. The product can be released quicker.<p>Maybe they <i>intentionally</i> forgo the server-side verification code until they <i>actually get cheaters</i>. Then they implement it before it begins to hurt their bottom line.<p>Because what if the game was an utter failure, and never got any users? How glad would you be that you spent all that time writing the server checks for every game action?

This attitude throws the baby out with the bathwater.<p>Client-side verification is Good, it saves bandwidth and reduces annoyance to the user. Client-side verification without also checking on the server is bad.<p>Given the example of a word game to be played on a phone. I would argue that client-side verification of valid words is vital.

There was a competition for university students in the UK a few months ago from some investment company, trying to raise interest for post-grad careers with them, basically a several-stage speed test, top five speeds at the end of the time period would get to choose a prize, iPhone, cash, few other things.<p>A friend of mine (a student) asked me if it was possible to create macros in a browser to help go faster, and since I was bored and lack morals in this area... just took a look through the JS, and fifteen minutes later and an injection for him to paste into the URL bar and skip through each stage, making the game think he had completed it, as fast or slow as he wanted. So he got a free iPhone.

(thinking more about web pages than apps here)<p>are there any frameworks that let you re-use the same verification code on both client and server? i'm imagining some way to decouple the validation from the presentation and then run the validation part on both sides - i don't see why this wouldn't be possible with something like Node.js.<p>related, i guess that some frameworks (particularly ajax) support duplicating validation on client and server by automatically generating (different) client (javascript) and server-side code (python/ruby/java/...) from simple specifications (eg regexps). does anyone have good experiences with any of these?

Client side validation is good for speed, however should not be trusted when sent to server. Server side validation is for validating such information to prevent issues. eg SQL injections.

Words with friends really needs both, without client side it would be tedious for attempting a word, of course this could also cut down on people trying their letters just about every way they can until they get a word.

This is obvious, isn't it?! Everything the user has access to can be manipulated.

Sorry, what? Client-side verification is categorically not bad. It’s when you don’t combine it with a round-trip to server-side verification that you have problems.

Client side verification is good to prevent unnecessary hits on the server when the input is incorrect/incomplete , its not.. in any way.. a real input validation.

"It wasn't very hard to circumvent this, resulting in a version which accepts moves like the above one.."<p>I'm more curious as to how you go about circumventing this. I would imagine that it probably IS very hard.

Surely this is just common sense at this point?

Validation client side is just a way to make user interaction faster. Nothing more, but quite useful, indeed.

Wanted to comment on the article but all I could think about was "READ THAT EMAIL IN YOUR STATUS BAR"

Does HN use client side verification for votes? Otherwise how did this get here?

Not bad, <i>insufficient</i>.

it is very annoying to have to duplicate validation logic though.

Fundamental truth = no code should ever trust its input. Break this rule never. If you have optimization problems, then don't worry because they're better than security problems and the hardware will likely solve it for you by the time you release. Trust relationships between bits of any codebase mean 'not loose coupled' = fundamental design flaw for simple, maintainable and secure code. Unix design philosophy: "do one thing and do it well" (and that means checking all your input religiously for every function)