EoinKeary got me thinking about data validation again, in particular the security implications of relying on data val in the ORM tier when numerous attacks can be performed on the presentation and middle tiers before hitting ORM. I still prefer the approach of only defining data validation rules in one place, and that place should be as close to the data as possible – so hibernate or JPA annotations make a lot of sense.
So how do you validate data for the tiers further up the stack?
Defining data validation rules in two places violates the DRY principal and is going to be error prone. Furthermore, it makes the code less modular because you’d need to redefine the data val rules every time you add another interface to the application.
A number of web frameworks provide a more elegant solution: Define the data validation rules in the model objects (ORM tier), but validate them whenever you like, e.g. in the web tier when first performing data binding. Some examples: