http://qs1969.pair.com?node_id=47548


in reply to Re: The art of error handling
in thread The art of error handling

It's true that it's often more usable to have the interface permit only valid input to be expressed*--rather than accepting anything and emitting error messages later--but remember that you need to leave the server-side verification in place for security.

Clayton probably knew this, but client-side error checking is risky on it's own since everything running on the attacker's machine is under his control, including his copy of your HTML and javascript.

* the exceptions that prove the rule