Re: Server side DTD validation only ?

From: David Brownell <david-b@p...>
To: "Roldan, Alex" <aroldan@h...>
Date: Mon, 14 Jun 1999 08:50:23 -0700

Play the video

"Roldan, Alex" wrote:
> 
> To me It seems that performing DTD validation on the client and server side
> is an unnecessary overhead.   Currently, I am only performing validation
> against the DTD on the server side app.  The request and the response are
> both validated by the server app by pre-pending the DTD to the XML document
> before it is validated.  The text XML data created by the client does not
> contain the DTD or an external reference to the DTD.
> 
> 1.  Is this the right approach ?

If you control both the client and server, and can keep them
always in sync (e.g. you're downloading the client from that
server) so that you don't run into versioning problems.

>From my perspective, both of those restrictions are atypical.

Of course you also have to keep in mind that validation is
only one level of error checking, and it's possible that the
other levels will catch the problems that'd crop up.

> 2.  What are the problems I can run into ?

If you write clients for network programs, you learn that
you must not trust servers to perform according to their
specifications ... e.g. a server operated by a business
competitor might very well attempt to subvert clients that
are trusting.  It is routine to check the format of data
as it's being imported.  (And vice versa -- when clients
send data to servers, the servers shouldn't trust it, for
the same reasons.)  Hence the clause above "if you control
both the client and server" -- two different companies
shouldn't take that approach in their client/server code.

Systems are also not static.  They evolve over time.  The
rules for what is correct/valid change over time.  If your
clients have every reason to trust the servers (and vice
versa) you can _still_ run into problems if it's possible
for the protocol versions to be mismatched.  Hence the
clause above "and can keep them in sync".

- Dave

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev@i...
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo@i... the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo@i... the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa@i...)

Follow-Ups:
- Re: Server side DTD validation only ?
  - From: "Murray Maloney" <murray@m...>

References:
- Server side DTD validation only ?
  - From: "Roldan, Alex" <aroldan@h...>

Prev by Date: Looking for a tool
Next by Date: Re: Namespace URI address resources
Previous by thread: Server side DTD validation only ?
Next by thread: Re: Server side DTD validation only ?
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >