0

If you create a form using HTML inputs and make the input required using the "required" attribute (<input type="text" required>), what is stopping a user from manually deleting the attribute by using their web browser's built in developer tools or by loading JavaScript by some other means (such as a bookmarklet)?

In other words, how can you ensure the required input remains required?

Jason
  • 1,081
  • 10
  • 24
  • 11
    **ALWAYS** validate on the server. – Daniel A. White Jun 25 '14 at 00:16
  • Agreed. Validate with Javascript, but ensure whatever input you are getting IS the type you're expecting. Creating a server side function that has a regex passed to it or inside to validate input isn't a bad idea. Or, if your language already has this available definitely use it. – olingern Jun 25 '14 at 00:52

2 Answers2

3

The client/browser has little control over the request that is sent to the server. A request can be constructed and passed to the server without involving a browser, therefore its the server side code's responsibility to ensure that the required parameters were provided with the request (as well as validate the parameters).

Kevin Bowersox
  • 93,289
  • 19
  • 159
  • 189
1

You need to consider a few things:

  1. Everything on the client side can be modified by the client: nothing is stopping me from using my browser console or modifying the source code to change parts of your page, and you can't do anything to stop that. For instance, look how many upvotes your question has:

    enter image description here Obviously that doesn't actually do anything, but that's because all of the heavy lifting is done by Stack Exchange's servers.

  2. Even if you make a field required, people can still fill in the field with a space or asdf and move on. Just because input is required doesn't mean that it is valid.

So, with that in mind, realize that you'll need to work on the server side to validate input. People can't mess with servers (easily) and it's the safest way to validate input. You'll need to deal with validation when your server receives the data because the client side is always vulnerable to user modification.

Community
  • 1
  • 1
AstroCB
  • 12,337
  • 20
  • 57
  • 73
  • A very thorough answer :). Do you know of any reliable resources/tutorials that could show me how to properly (and securely) validate inputs? – Jason Jun 25 '14 at 01:00
  • @Jason Well, there's [this](http://www.outsystems.com/academy/11/1685/581/server-side-validation-of-inputs/), but I would also take a look at [this discussion](http://stackoverflow.com/questions/8780436/user-input-validation-client-side-or-server-side-php-js), which talks about some other advantages of server-side validation. The gist is that validating on your server is absolutely necessary, while JS/client-side validation is a plus and can save you some server work. – AstroCB Jun 25 '14 at 01:03