I am building a school project which is a website and I have a form and I'm using javascript as my validation. Is there any chance that if the user turned off their javascript, they can submit their form empty? or I better use php as my validation?
Asked
Active
Viewed 281 times
4 Answers
3
Client Side
You want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form.
If you only validate on the server, they have to submit the form, get an error message, and try to hunt down the problem.
(This pain can be eased by making "sticky" forms where the server remembers what was entered in each field and fills it back in, but client-side validation is still faster.)
Server Side
You want to validate on the server side because you can protect against the malicious user, who can easily bypass your JavaScript and submit dangerous input to the server.
It is very dangerous to trust your UI. Not only can they abuse your UI, but they may not be using your UI at all, or even a browser. What if the user manually edits the URL, or runs their own Javascript, or tweaks their HTTP requests with another tool? What if they send custom HTTP requests from curl, for example?
Not allowing for that is not only naive from a security standpoint, but also non-standard: a client should be allowed to send HTTP by whatever means they wish, and you should respond correctly. That includes validation.
-
@Juan Carlos De Luna this will help you – Priyank Apr 08 '15 at 11:08
-
1+1 for the effort, and mentioning that backend validation is not just for security but client-agnostic convention too. – doldt Apr 08 '15 at 11:23
1
Any frontend validation is just for better User Experience, and you can only trust the backend with sensitive logic.
Basically any data can arrive from the frontend, and you should always assume that your users are malicious ("all input is evil"), and validate on the backend.
doldt
- 4,466
- 3
- 21
- 36
1
Javascript validation is not secure at all, people can either turn off their Javascript or edit your code. Anyone who is set on getting around your validation will have an easy time doing so. PhP validation is the better option. since a user can't just turn off your PhP or change it.
What you could do if you want to make the validation look fancy, is have front and back end validation in place.
Gerton
- 676
- 3
- 14
0
You can use html5 tags, they are pretty easy to use. Like you can use :
PATTERN attribute to define the regular expressions,
required for required fields and many others.
All of the html based validations, I must say all of them, can be fixed via tools like firebug. You might need to apply the validation on server side as well if you want to make it really really robust. I would recommend you to go for some MVC frameworks like
YII or may be code igniter
They are pretty easy to use and very powerful specially scaffolding features.
Danyal Sandeelo
- 12,196
- 10
- 47
- 78