Could it be sound practice to delegate data validation entirely towards the database engine constraints?

Validating data in the application does not prevent invalid insertion from another software (possibly designed in another language by another team). Using database constraints you lessen the points where you have to be worried about invalid input data.

Should you put validation in database and application, maintenance becomes boring, because you need to update code for you never know the number of programs, growing the prospect of human errors.

I simply aren't seeing this being carried out greatly, searching at code for free software projects.

Validate at input time. Validate again before putting it within the database. And also have database constraints to avoid bad input. And you will wager regardless of everything, bad data will get to your database, so validate it again if you use it.

It appears like all day some web application will get compromised simply because they did almost all their validation within the form or worse, using Javascript, the ones found a method to bypass it. You need to guard against that.

Paranoid? Me? No, just experienced.

It is best to, where possible, have your validation rules specified by your database and employ or write a framework which makes individuals rules appear to your front-end. ASP.Internet Dynamic Data aids in this and you will find some commercial libraries available making it even simpler.

You can do this for both simple input validation (like amounts or dates) and related data like this restricted by foreign secrets.

To sum up, the concept would be to define the guidelines in one location (the database most time) and also have code in other layers which will enforce individuals rules.

The problem with departing the logic towards the database will be you boost the strain on that specific server. Web and application servers are comparatively simple to scale outward, but a database requires special techniques. Typically, it's wise to place because the computational logic in to the application layer and the interaction using the database as easy as possible.

With nevertheless, it's possible that the application might not be concerned about such heavy scalability issues. If you're certain that database server load won't be an issue for that expected future, then proceed and set the restrictions around the database. You're quite factual that this enhances the business and simplicity of the system in general by continuing to keep validation logic inside a convenient location.

You will find other concerns than simply SQL injection with input. You need to go ahead and take most defensive stance possible whenever accepting user input. For instance, a person might have the ability to enter a hyperlink for an image right into a textbox, that is really a PHP script that runs something nasty.

Should you design the application well, you shouldn't need to laboriously check all input. For instance, you could utilize a Forms API that takes proper care of the majority of the meet your needs, along with a database layer which does very similar.

This is an excellent resource for fundamental checking of weaknesses:

http://ha.ckers.org/xss.html

It is past too far when the information reaches your database to supply significant validation for the customers and programs. You wouldn't want your database doing all the validation since that'll slow things lower very good, and also the database does not express the logic as clearly. Similarly, while you grow you will be writing more application level transactions to enhance your database transactions.

I'd say it's potentially a poor practice, based on what goes on once the query fails. For instance, in case your database could throw a mistake which was smartly handled by a credit card applicatoin, then you may be ok.

However, if you do not put any validation inside your application, you will possibly not have bad data, but you might have customers thinking they joined items that does not get saved.

Implement just as much data validation as possible in the database finish without compromising other goals. For instance, if speed is definitely an problem, you might want to consider not using foreign secrets, etc. In addition, some data validation are only able to be carried out around the application side, e.g., making certain that emails have valid domain names.