In the scenario where the front-end and back-end are separated and developed, what the back-end does is to receive the data transmitted by the front-end, perform corresponding processing, and finally return the processing result information.
So, for the data sent by the front end (whether it is Get or Post), do we want to be sure that it will not exceed the scope of constraints, such as the following example
public class Apartment {
private Long id;
private String desc;
}
/**
* The entity relationship between room and apartment is that
* one apartment corresponds to multiple entities
*
* Each apartment has a different floor(field: floor)
* and the rooms on each floor have their serial number(field: sequence)
*
* (If I am in the 4th room on the 3rd floor, then my house number is 403)
*
**/
public class Room {
private Long id;
private String desc;
private Integer floor;
private Integer sequence;
private Long apartmentId;
}
Then, the front-end room display is transmitted by the back-end data, that is to say, the back-end knows which rooms exist and which rooms do not exist.
For example, only 10 rooms on the 3rd floor have been entered into the system, then rooms 311-399 can be entered later
Now, the front end has initiated an entry request to add a room, and its data format is like this
{
"desc":"Room-311",
"floor":3,
"sequence":11
"apartmentId":1
}
For the backend, do additional data validations need to be performed, namely:
- verify if the apartmentId exists,
- verify whether the floor includes 3 floors
- verify the sequence of floor 3 contains 11
- storage the record
But if we choose to believe that the data transmitted by the front end is "correct", then the above 4 steps only need to do the last step - insert the record.
Now the question is whether we are willing to believe that the data transmitted by the front end must be "correct".
Or, when do we choose not to "trust" the data the front end transmits, but treat it as an unconstrained, random request for data (as if in a test), even if the front end tightly limits the scope of the data (such as apartmentId and floor is locked, of course this is just an extreme assumption)
CodePudding user response:
Mutual distrust is a basic principle. Mistake could happen for a number of reasons, so you as Backend dev NEVER trust the validity of incoming info and so will front-end (may be to a lesser degree) will mistrust the response and must validate it as well.
CodePudding user response:
Always validate data received from clients because there are some bad guys who always trying to find vulnerability in your code.
CodePudding user response:
In addition to @Michael Gantman I would mention that having data validity check on the backend will allow you change you frontend any time. And by different frontend you should consider calling your backend through a pure API layer.