I have a lengthy form which heavily uses client-side validation (written in jQuery). To prevent users with disabled JavaScript submitting the form, I have included a hidden field which is populated with "javascript_enabled" value by jQuery. If JS is disabled in the browser, then the filed is left blank and the form will not be submitted.
The question is - is this enough and I should feel safe, or do I have to include a server side validation for every field too?
No. Client side validation is only here for the comfort of the user, not to protect your server.
All client side actions are easy for the user to change.
To protect your server you MUST add server side validation.
To what extent? None. You should never rely on client-side validation at all. Client-side validation is purely for UX purposes.
The true validation is always done on the server.
All of the above answers are valid, I just want to add a couple of points.
Client-side validation can be used to give instantaneous feedback to the user without the need for additional requests to the server (Lower Traffic).
Client-side validation can be easily bypassed. (Disable JavaScript, Custom HTTP Requests, Access using e.g. CURL)
Can not be bypassed (Unless you've left an exploitable piece of code)
Good server side validation can prevent potential threats such as XSS, and SQL Injection. (Can lead to obtaining other users data, or break your database)
I'm looking forward to further development of the WebSocket protocol and for it to become more widely used.. WebSockets allow for a two way (full duplex) connection, meaning it will be incredibly efficent to validate from the server-side for example every time a key is entered into an input field. Hopefully this approach will do away with client-side validation!
Server side validation is a must, client side validation is to do as much as is practical without the overhead of a round trip to the server.
