-2

I had the thought:

What's stopping someone from circumventing form validation by deleting the "onSubmit" of an HTML form using something like Firebug?

I know Javascript isn't meant to be the only form of validation, but how can I ensure the Javascript validation isn't circumvented in this way?

I would prefer to continue using the "onSubmit" method if possible, as that is already in place, but am open to other options.

I should make it clear, I do have server side validation in place. I just want to make removing the JS validation as difficult as possible.

Barney
  • 1,820
  • 5
  • 29
  • 50
  • 1
    server-side validation..?? – Dipesh Parmar Apr 09 '13 at 11:51
  • > What's stopping - nothing. Client-side validation should be used in pair with server-side. – Tommi Apr 09 '13 at 11:52
  • See [this](http://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation) or [this](http://stackoverflow.com/questions/10460711/to-what-extend-should-i-rely-on-client-side-validation). – Denys Séguret Apr 09 '13 at 11:54
  • 1
    A browser is not even required to submit a form. It's possible to send an arbitrary stream of data that doesn't even conform to the HTTP spec. – Alexey Lebedev Apr 09 '13 at 11:54

4 Answers4

6

What's stopping someone from circumventing form validation by deleting the "onSubmit" of an HTML form using something like Firebug?

Nothing. Client side form input checking is provided for the user's convenience (it allows instant and contextual feedback without resorting to a round trip to the server), not the server's security. You need to check the data on the server too.

I know Javascript isn't meant to be the only form of validation

Yes.

but how can I ensure the Javascript validation isn't circumvented in this way?

You can't, that is why it isn't meant to be the only form of validation.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • It isn't the only form of validation. I know that it's not meant to be, I just want to make removing it difficult. – Barney Apr 09 '13 at 11:58
  • You cannot make removing it difficult. – Quentin Apr 09 '13 at 12:02
  • 1
    There is no sense in making it difficult to remove anyway as the only purpose of client side validation is the user's comfort. – Denys Séguret Apr 09 '13 at 12:04
  • Anything you do to try to make it difficult is going to be more work for you, more chance of something failing for an innocent user, but no more security. – Quentin Apr 09 '13 at 12:05
0

It is impossible to prevent users from changing running JavaScript code in HTML pages. That's why it is highly recommended to duplicate form data validation at the server side.

VisioN
  • 143,310
  • 32
  • 282
  • 281
0

you cant do anything .

  1. Javascript is client side, and you should not depend on the client code. user can tamper the data and can post it to server side.
  2. In Server side you also need to check the validness of the document.
Ravi Gadag
  • 15,735
  • 5
  • 57
  • 83
0

What's stopping someone from circumventing form validation by deleting the "onSubmit" of an HTML form using something like Firebug?

Nothing. Validation is a client side way of telling the user that their input will not be accepted without them having to submit. You should have strong server side validation as well for this to work.

There should be no crucial validation that is only client side.

Manishearth
  • 14,882
  • 8
  • 59
  • 76