Form validation serves to ensure the validity of the data submitted to the servlet. Not checking your data is one of the primary security holes in web applications. The most egregious holes are when you use code like this:
req = self.request()
os.system("echo hello there | mail -s 'subscribe request' %s" % req.field('email'))
You might have a select box with several email address, which will work just fine. But if the user manipulates the page so as to submit something like: user@public.com;rm -rf /, you'll see the problem.
Besides security, form validation can deal with the submit-signal-error-resubmit loop that complex form should allow. Simply signalling an error and asking the user to go back is a less-than-optimal situation.
Some systems that deal with this for Webware are FunFormKit, FormEncode and XMLForms. Zope has Formulator, and Python CGIs have pyweblib.
-- IanBicking - 02 Nov 2001