0

On my site I use Angular and the $http object to send an email. It's just a simple contact form. I validate the email and make sure the required fields have been filled with a simple regular expression.

Even with server-side languages, there's still not really away to validate emails as far as I know. (See this question.) The most I could really do is apply the same basic regex.

Since I'm sending the email with a client side script (I don't even support people who have JS disabled anymore. A good discussion here on that.) and the email will not send unless the user has JavaScript enabled, is there really any need to validate on the server-side?

Is there a general rule of thumb for when you need to use server-side validation?

Community
  • 1
  • 1
Allenph
  • 1,875
  • 27
  • 46

1 Answers1

2

Since I'm sending the email with a client side script … is there really any need to validate on the server-side?

You have no control over what people send in HTTP requests to your server.

While they can't simply submit a form to get the expected result (which is a shame, since JS can fail for many reasons other than simply being disabled on the client), they can still read your code and/or use their browser tools to determine the API of your webservice. Given that information, it is trivial to build a client to send whatever data (including malicious data) they like to it.

Is there a general rule of thumb for when you need to use server-side validation?

Yes. You always need server-side validation. Client-side validation is there only as a convenience (faster / better UI) for the visitor.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • the movement towards JavaScript MVC frameworks is fairly established, and I don't see us going back to using pure PHP or Rails which requires a reload to send or receive data. Unobtrusive JavaScript was based on browsers being non-complaint which doesn't happen much anymore with libraries, if I'm not mistaken. The majority of my business is pitching responsive single page applications. Is this the wrong direction to be going? I do understand the need for server-side validation, but is there a way to confirm the request is me, rather than someone sending request to my back-end? – Allenph Aug 05 '15 at 23:00
  • "Is this the wrong direction to be going? " — Subjective. – Quentin Aug 05 '15 at 23:01
  • "is there a way to confirm the request is me, rather than someone sending request to my back-end?" — No. The request always comes from the browser. The browser is not under your control. The request never comes from you. – Quentin Aug 05 '15 at 23:01
  • Right, but from what I understand of your answer I need server-side validation because someone could code up an http request from any script, and send some data to my mailing script. But since I'm using JavaScript to send the JSON data which becomes the email, anyone would be able to see any requirements for the form to go through on my source code. That renders the server-side validation useless in both ways. – Allenph Aug 05 '15 at 23:05
  • No, the server side validation ensures that the data really does conform to the constraints on the format of the data that you are trying to impose with the client side validation. It also lets you impose additional constraints such as rate limiting the number of requests accepted from a given IP address (to make it harder to flood your system with emails). – Quentin Aug 05 '15 at 23:08
  • I would like to have a more in depth conversation about this topic. Care to join me in chat? https://chat.stackoverflow.com/rooms/85253/client-server-side-form-validatiom – Allenph Aug 05 '15 at 23:16