0

I am making a contact from and I almost finished it, but I want to make sure that it isn't easy for people to spam to my mail. At the moment I am checking if the user has filled in all fields using Javascript and if they don't, then there is an element text being changed to something like: "You have to fill in this field". Now I wanted to validate text and emails using the filter_var function from php and then change the text to something like: "Please fill in a valid email". This is the Javascript code I am using atm 

$(document).ready(function() {
  document.getElementById('submitButton').onclick = function() {
    var firstName = document.forms["contactForm"]["firstName"].value;
    var lastName = document.forms["contactForm"]["lastName"].value;
    var email = document.forms["contactForm"]["email"].value;
    var message = document.forms["contactForm"]["message"].value;

    var submit = true;

    if (firstName == null || firstName == "") {
      document.getElementById("firstName_error").innerHTML = "Please enter your first name";
      submit = false;
    }

    if (lastName == null || lastName == "") {
      document.getElementById("lastName_error").innerHTML = "Please enter your last name";
      submit = false;
    }

    if (email == null || email == "") {
      document.getElementById("email_error").innerHTML = "Please enter your email";
      submit = false;
    }

    if (message == null || message == "") {
      document.getElementById("message_error").innerHTML = "Please enter your message";
      submit = false;
    }

    return submit;
  }

  document.getElementById("firstName").onkeyup = removeWarning;
  document.getElementById("lastName").onkeyup = removeWarning;
  document.getElementById("email").onkeyup = removeWarning;
  document.getElementById("message").onkeyup = removeWarning;
});

function removeWarning() {
  document.getElementById(this.id + "_error").innerHTML = "";
}
RuuddR
  • 941
  • 4
  • 13
  • 25
  • 4
    Client side can be bypassed. – chris85 Aug 28 '17 at 20:08
  • you should get the field's content and check it it matches with the desired criteria... – Leonardo Alves Machado Aug 28 '17 at 20:08
  • Okay, and php is serversided, right? – RuuddR Aug 28 '17 at 20:11
  • Yes, PHP is server side. – chris85 Aug 28 '17 at 20:12
  • 3
    Both. Front and backend – clearshot66 Aug 28 '17 at 20:12
  • So best would be to remove the javascript and just script everything in php? – RuuddR Aug 28 '17 at 20:12
  • It will take a bit longer (form processing needs to occur on the server then errors sent back. You also will need to repopulate the form data, or force the user to do it again), you can do the JS validation for a nice UX but dont trust it. A malicious user can easily get by that. – chris85 Aug 28 '17 at 20:13
  • Alright, I will read the answer of the other post and try to get it all working, Thank you! – RuuddR Aug 28 '17 at 20:14
  • Both. You do user-side validation to help the user and make your form less of a pain. You ALWAYS do server-side validation, though. Because there are jerks out there that will bypass your forms and start finding ways to exploit the fact that you never checked server-side. – Bluebaron Aug 28 '17 at 20:14
  • Alright, so I should do things like, making sure there is a @ in the email and show the user there is something wrong with the email or when fields are empty in javascript(client sided) and removing malicious stuff from the input fields in php(server sided)? – RuuddR Aug 28 '17 at 20:17
  • 1
    @xX4m4zingXx Yes.. think of front end to make life easier for your normal visitors, back end to prevent your whole system from crashing from people bypassing the front end. – Ice76 Aug 28 '17 at 20:22
  • Alright, thank you everyone. I have enough information about this now! – RuuddR Aug 28 '17 at 20:26

0 Answers0