是否将其视为验证逻辑的重复?
[英]Would this be considered duplication of validation logic?
问题描述
I have sample class like this 
我有这样的示例课
public class Customer
{
public string FirstName { get; set; }
public string LastName { get; set; }
public int ContactNumber { get; set; }
public System.DateTime DateOfBirth { get; set; }
}
All of these fields are required before adding a customer to the database. 在将客户添加到数据库之前,所有这些字段都是必填字段。 So in the service/business logic layer I do validation for these 4 properties. 因此,在服务/业务逻辑层中,我对这四个属性进行了验证。 I validate that FirstName and LastName are not empty and ContactNumber is greater than 0 and DateOfBirth is greater than 1930(just as an example). 我确认FirstName和LastName不为空,并且ContactNumber大于0且DateOfBirth大于1930(仅作为示例)。 In the aspx page before I can pass the customer object to the service/business logic layer to validate and add to database, I do type checking for ContactNumber and DateOfBirth. 在将客户对象传递到服务/业务逻辑层以进行验证并将其添加到数据库之前,在aspx页面中,我进行了ContactNumber和DateOfBirth的类型检查。 I use simple functions like IsNumeric and IsDate. 我使用简单的函数,例如IsNumeric和IsDate。
I know the validation is supposed to be done in the service layer so that if another app needs to use this logic in the future duplication can be avoided. 我知道验证应该在服务层中完成,这样如果将来另一个应用程序需要使用此逻辑,就可以避免重复。
Is it common to do type checking in the aspx page and then pass the object to the service layer which does all the other validation? 在aspx页面中进行类型检查,然后将对象传递给进行其他所有验证的服务层是否常见? I know one way to avoid this is to use javascript. 我知道一种避免这种情况的方法是使用javascript。 For the sake of argument(never really happens) client turns off his javascript. 为了争辩(从来没有真正发生过),客户端会关闭其javascript。 Another option I was thinking about is the function that adds customer to the database accepts all its parameters as objects. 我在考虑的另一个选择是将客户添加到数据库的函数接受其所有参数作为对象。 This way type checking can be avoided in aspx page and just be done in service layer. 这样可以避免在aspx页面中进行类型检查,而只需在服务层中进行即可。 But what if there are like 20 properties that I have send as method parameters? 但是,如果有大约20个属性作为方法参数发送该怎么办?
2 个解决方案
解决方案1
1 2015-11-14 15:22:48
You should be validating at both the client and the server. 您应该同时在客户端和服务器上进行验证。
The JavaScript validation would be performed on the client side and would reduce the number of round trips to the server if the user has simply made a mistake and forgotten to enter their details. 如果用户只是犯了一个错误而忘记了输入详细信息,那么JavaScript验证将在客户端执行,并减少往返服务器的次数。 This would also provide a better user experience. 这还将提供更好的用户体验。
The server side validation is crucial and should also be performed. 服务器端验证至关重要,也应执行。 If the user ever disables JavaScript or an attacker sends malicious form values to your server then this validation would kick in. Since you are using WebForms you can use the Validation Controls within the framework, for example: RegularExpressionValidator and have a Validation Summary. 如果用户曾经禁用JavaScript或攻击者向您的服务器发送了恶意表单值,则此验证将开始进行。由于您使用的是WebForms ,因此可以在框架内使用验证控件,例如: RegularExpressionValidator并具有验证摘要。
If you wanted to do the validation yourself then this logic would best sit in a ValidationService as you describe which could accept the Customer class as an argument rather than the 20 properties you stated in your question. 如果您想自己进行验证,则此逻辑最好放在您描述的ValidationService中,该方法可以接受Customer类作为参数,而不是问题中所述的20个属性。
You may also want to consider using other libraries to prevent attacks such as XSS. 您可能还需要考虑使用其他库来防止XSS等攻击。
解决方案2
1 已采纳 2015-11-14 15:41:13
It really all depends on your design and needs. 实际上,这完全取决于您的设计和需求。 The points you mentioned are all valid points. 您提到的分数都是有效分数。 Yes, ideally you need to do the validation in the service/business layer in case more than one presentation layer is calling it, but also because the service/business layer is the one that is responsible for the business logic. 是的,理想情况下,您需要在服务/业务层中进行验证,以防调用多个表示层,还因为服务/业务层是负责业务逻辑的那一层。
However, you are also right that often some validation is done in the presentation layer for several reasons: It is the one interacting with the user and displaying the validation errors. 但是,您也很对,通常出于以下几个原因在表示层中进行一些验证:与用户交互并显示验证错误的验证。 Also some validation techniques can only be done in the presentation layer, example JavaScript which is used to make the validation much more responsive without a need for trips to the server every time. 另外,某些验证技术只能在表示层中完成,例如JavaScript,该JavaScript用于使验证更具响应性,而无需每次都访问服务器。 However, JavaScript validation is only used to enhanced the user experience, but never depend on it as a real validation because it is easy to bypass it. 但是,JavaScript验证仅用于增强用户体验,而从不轻易将其视为真正的验证,因为它很容易绕过它。
So from the design perspective, your validation in the service/business layer and presentation layer is considered to be a good design and not bad duplication of efforts. 因此,从设计的角度来看,您在服务/业务层和表示层的验证被认为是一个好的设计,而不是重复的工作。
However, practice sometimes does not follow the theory exactly. 但是,实践有时并不完全遵循理论。 For example, some validation could be very long and expensive to perform twice. 例如,某些验证执行两次可能会很长且很昂贵。 In such a case, perhaps the only place you want to put such a validation is the service/business layer. 在这种情况下,您唯一想进行这种验证的地方就是服务/业务层。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.