2

all. I want to share some issue that happen in my code. I have a HTML form that posted and saved to mysql database using php. I give a validation form if the total of data isn't 100, it can't posted. I do this restriction in client side or HTML using javascript. something like this :

$("#submit").click(function(event) {

                    var total_I     = $("#total_I").val();
                    var total_III   = $("#total_III").val();
                    var total       = 0;
                    /* stop form from submitting normally */
                   if($("#eval-form").validate().form())
                   {

it works perfectly when we do some test plan. But when this website is launched and accessed approximately 500 user in a time, there is some data that have data less than 100 saved in database. My question is, How to overcome this problem? Is there any method to restrict this condition better ? first, thanks to your answers

Frenda
  • 57
  • 5

2 Answers2

4

If I were to write a book on web security, the title would be "Never Trust The Client".

You don't really control the client, so if javascript is turned off or someone puts together a custom query, or if a client just isn't behaving correctly, you could get bad data.

Client-side validation is an excellent tool from a user-interface point of view. It catches errors earlier and when properly implemented can lead to less frustration on the part of users.

As a security or policy-enforcement measure, client-side validation is useless. You have to check the data you actually receive on the server side, even if it means duplicating the work done on the client.

slashingweapon
  • 11,007
  • 4
  • 31
  • 50
2

When you do a validation with Jquery, client side, is better to replace it also on server side.

So on the script in PHP (I assume it form your tag) you can insert a second validation of the data.

This will keep sure the data are following your validation.

gabrielem
  • 560
  • 5
  • 13