0

Possible Duplicate:
JavaScript: client-side vs. server-side validation

I am a beginner in PHP web application development. I have recently developed a web application that is used in an intranet, and there are about 25 users using the system. All the HTML forms within the system are validated using JavaScript and a jQuery library and the client machines are JavaScript enabled. Is it necessary to validate each form on the server again or is JavaScript validation is enough.

Community
  • 1
  • 1
Rav
  • 1,163
  • 4
  • 16
  • 18
  • Never trust user input. Validate on client to avoid back and forth to server. Validate again on server. – Luc M Oct 15 '12 at 17:15
  • It depends if you want potentially wonky results. If so, stick to client side validation, if not, validate on the server. – j08691 Oct 16 '12 at 16:18

6 Answers6

3

Put simply, JS validation is not enough. A user can very easily disable JS on their client, and bypass your validation. Even if you are submitting user data using AJAX (thus requiring JS to be enabled), a clever user can easily construct their own HTTP request to your server, again bypassing your validation.

To this end, if you want to completely ensure that all data entered into your system is validated, it will have to be done on the server.

Jim O'Brien
  • 2,512
  • 18
  • 29
1

Since Javascript can be turned off, it follows from logic that the client cannot be trusted. Therefore you will have to validate again at the server side.

A basic rule to remember for questions like this:

client-side security is not.

Gung Foo
  • 13,392
  • 5
  • 31
  • 39
1

Javascript validation is not enough. It is trivial to bypass client-side JS validation using software such as curl to generate your own HTTP POST requests.

JSK NS
  • 3,346
  • 2
  • 25
  • 42
1

I guess it depends what happens with the submitted data, but I think its always a good practice to validate input on server side for security reasons.

Zyga
  • 2,367
  • 3
  • 22
  • 32
1

try this one, best and easy.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
 <script src="http://code.jquery.com/jquery-latest.js"></script>
  <script type="text/javascript" src="http://jzaefferer.github.com/jquery-validation/jquery.validate.js"></script>
<style type="text/css">
* { font-family: Verdana; font-size: 96%; }
label { width: 10em; float: left; }
label.error { float: none; color: red; padding-left: .5em; vertical-align: top; }
p { clear: both; }
.submit { margin-left: 12em; }
em { font-weight: bold; padding-right: 1em; vertical-align: top; }
</style>
 <script>
  $(document).ready(function(){
  $("#commentForm").validate();
  });
  </script>

</head>
<body>


 <form class="cmxform" id="commentForm" method="get" action="">
 <fieldset>
   <legend>A simple comment form with submit validation and default messages</legend>
  <p>
 <label for="cname">Name</label>
 <em>*</em><input id="cname" name="name" size="25" class="required" minlength="2" />
  </p>
  <p>
    <label for="cemail">E-Mail</label>
  <em>*</em><input id="cemail" name="email" size="25"  class="required email" />
  </p>
  <p>
 <label for="curl">URL</label>
 <em>  </em><input id="curl" name="url" size="25"  class="url" value="" />
  </p>
  <p>
    <label for="ccomment">Your comment</label>
    <em>*</em><textarea id="ccomment" name="comment" cols="22"  class="required">      </textarea>
  </p>
   <p>
    <input class="submit" type="submit" value="Submit"/>
   </p>
 </fieldset>
 </form>
 </body>
 </html>

Happy coding!!

Gaurav
  • 638
  • 6
  • 18
0

Yes, you should validate ALL the data on server side. Javascript validation is not trustable.

MrSil
  • 608
  • 6
  • 12