为什么在 HTML5 验证存在时在 Spring MVC 中使用 @Valid
[英]Why use @Valid in Spring MVC when HTML5 Validation exists
问题描述
Why to use @valid annotation when HTML5 validation exists on the page?
当页面上存在 HTML5 验证时,为什么要使用 @valid 注解?
We could focus on business logic rather than adding extra controllers to validate.我们可以专注于业务逻辑,而不是添加额外的控制器来验证。 Is it because there are any bugs using of web pages?是因为使用 web 页面有任何错误吗?
2 个解决方案
解决方案1
2 2020-04-16 12:19:22
You can't have the server depend on client validation,您不能让服务器依赖于客户端验证,
If user use old page without validation or user will send request to server directly (or user manipulate HTML as @Chris comment),如果用户在未经验证的情况下使用旧页面或用户将直接向服务器发送请求(或用户操作 HTML 作为@Chris 评论),
Then the validation won't take place and然后验证将不会发生,并且
Server validation make sure you keep your data integrity服务器验证确保您保持数据完整性
It also prevent malicious attacks as SQL injection (if you aren't using PrepareStatement for example)它还可以防止恶意攻击,例如 SQL 注入(例如,如果您不使用 PrepareStatement)
解决方案2
0 2020-04-16 12:22:05
The actual data submission request can be intercepted, captured, changed, and replayed.实际的数据提交请求可以被拦截、捕获、更改和重放。 During the replay, a malicious user can change the body of the request to submit just any data they wish.在重放期间,恶意用户可以更改请求的正文以提交他们想要的任何数据。 Irrespective of front end technology and framework, your back end will eventually end up receiving a data request.无论前端技术和框架如何,您的后端最终都会收到数据请求。 It's how you treat the content of that request that makes a difference.您如何处理该请求的内容会有所不同。 That's why every bit of data submitted by your user has to be validated on your back end.这就是为什么您的用户提交的每一点数据都必须在您的后端进行验证。
TLDR;: Never trust the data submitted by the user. TLDR;:永远不要相信用户提交的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.