The answer, on the question of data validation on client or server is both. I do use client side validation, using JavaScript, mostly to notify the user of a data entry error before he or she proceeds to submit it. But, more importantly, I check all the data server-side. I regard failing to validate server side as plain stupid and, especially, insecure.

All transactions are received by my cgi script, written in perl, and submitted by it to the database (but this is after 1: data validation server side, and 2: submission of some of it to one of the web services we use, and the some of the data stored is the response from the web service used, again validated on my server before attempting to store it). By implication, then, from what I am doing and what you say, the logging is either broken or incomplete. So, that, I guess, is the next thing on my list of things to examine, and that is, how to make the web server logging more complete, and the database logging also. I know the transaction came through my server, and thus my validation code, because I learned of the missing data by looking at the data stored by the web services we're using. The failure point is either the web service not sending us the transaction results, or between that event and the attempt to store the data. I think I can see how I can check that.

Thanks

Ted