Timeline for How to avoid double data validation in an application with web interface?
Current License: CC BY-SA 3.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 16, 2017 at 19:05 | comment | added | JacquesB | Are you thinking about a web API or similar? In that case you should indeed validate all external input. But internally you would have a business layer which accept input which is already validated, otherwise you will get some kind of infinite regress. | |
| May 16, 2017 at 18:55 | comment | added | Machado | All the public surface of your API must perform input validation. Internals, private and protected methods can rely on the fact that the public surface of the API did its job, and did not rely on the user calling an outside method to validate the input. Your API must protect itself against misuse. | |
| May 16, 2017 at 18:47 | comment | added | JacquesB | You have the two steps because you need to separate the validated input from the unvalidated input - and the actual business logic should only accept validated input. Otherwise you would have to perform the same validation on every single method in the call chain, which would be crazy. | |
| May 16, 2017 at 18:19 | comment | added | Machado | Also, why doesn't the @ works with your username ? I can't tag you on my comments! Your name just vanishes... | |
| May 16, 2017 at 18:16 | comment | added | Machado | Yes, you're right. And that's the point. Explore the code and learn as you go. That would be exactly the same scenario with 2-step validation, without the need of the extra if. The 2-step validation requires you to learn the protocol, which you'll do by either triggering an exception because you didn't validate before calling or by reading documentation. Why not just embrace the exception in this case and reduce the complexity of your code since you'll still have the obligation to catch a exception ? | |
| May 16, 2017 at 18:05 | comment | added | JacquesB | @Machado: If you want an API to be discoverable, exceptions are actually the worse choice since they are not indicated in the method signature (in .net) but are only discovered if you happen to trigger one...or read the documentation. | |
| May 16, 2017 at 17:52 | comment | added | Machado | while I agree with you on the principle, I have some concerns on the practical use. Having a side validation method may be idiomatic on the API, but it's also a 2-step operation that requires the user of your code to read the documentation before trying it, in order to learn "the protocol". While just shoving things to the service and letting it figure out what to do and returning an error on a single step looks messy, but allows the programmer to learn by exploring your code instead of reading some lost wiki somewhere. | |
| May 16, 2017 at 17:34 | history | edited | JacquesB | CC BY-SA 3.0 |
added 3 characters in body
|
| May 16, 2017 at 17:32 | comment | added | JacquesB | @Machado: This would make sense if you expect valid input, but perform a precondition check to be defensive. But if there is a specific method for validating user input, then it shouldn't throw an exception if there is validation errors, since this a legitimate outcome. Exceptions should IMHO only be for cases where a method is prevented from doing its designated job, which is not really the case here. | |
| May 16, 2017 at 17:24 | history | edited | JacquesB | CC BY-SA 3.0 |
added 20 characters in body
|
| May 16, 2017 at 17:23 | comment | added | Machado | I don't see why you can't leverage the existence of AggregateException if needed. For a CRUD application a single exception may be enough, though. | |
| May 16, 2017 at 17:21 | history | answered | JacquesB | CC BY-SA 3.0 |