0

When validating forms with javascript and php, why do we need to include the same validation rules (ie correct format, checking fields are filled in, values within bounds) on both the server and browser? I understand that javascript can be turned off, so why not just have everything on the server and save checking it twice?

Harryc
  • 9
  • 6
  • 3
    Mostly for UX purposes. So for example user doesn't have to wait for a response from the server, and you can automatically within ms return errors, this would also fall for taking load off your server, so your server won't process information that is already wrong. – Adrian Sep 14 '17 at 09:09
  • 1
    We don't need to [validate at client-side], it's up to you what kind of user experience you want to offer to your users. – Teemu Sep 14 '17 at 09:09

5 Answers5

0

Utilising client side validation, generally, gives a much nicer experience for the user. For example, instead of the user filling out a form, then submitting it to find out they've made mistakes, with Javascript we can let them know as they finish typing. That is a much easier/cleaner/quicker way for the user to fix their mistakes.

When using client sided validation, you must also use backend validation because javascript can be manipulated. E.G. What happens if they go into the dev tools inspector and alter the validation script to allow malicious details to be entered? Or what about if they inject their own malicious script? Or what about if they turn off Javascript in the browser as a whole? That is where the backend validation comes into play.

ProEvilz
  • 5,310
  • 9
  • 44
  • 74
0

It is important to validate the form submitted by the user because it can have inappropriate values. So validation is must.

The JavaScript provides you the facility the validate the form on the client side so processing will be fast than server-side validation. So, most of the web developers prefer JavaScript form validation.

Through JavaScript, we can validate name, password, email, date, mobile number etc fields.

As others have said, you should do both. Here's why:

Client Side

You want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form.

If you only validate on the server, they have to submit the form, get an error message, and try to hunt down the problem.

(This pain can be eased by having the server re-render the form with the user's original input filled in, but client-side validation is still faster.)

Server Side

You want to validate on the server side because you can protect against the malicious user, who can easily bypass your JavaScript and submit dangerous input to the server.

It is very dangerous to trust your UI. Not only can they abuse your UI, but they may not be using your UI at all, or even a browser. What if the user manually edits the URL, or runs their own Javascript, or tweaks their HTTP requests with another tool? What if they send custom HTTP requests from curl or from a script, for example?

(This is not theoretical; eg, I worked on a travel search engine that re-submitted the user's search to many airlines, bus companies, etc, by sending POST requests as if the user had filled each company's search form, then gathered and sorted all the results. Those companies' form JS was never executed, and it was crucial for us that they provide error messages in the returned HTML. Of course, an API would have been nice, but this was what we had to do.)

Not allowing for that is not only naive from a security standpoint, but also non-standard: a client should be allowed to send HTTP by whatever means they wish, and you should respond correctly. That includes validation.

Server side validation is also important for compatibility - not all users, even if they're using a browser, will have JavaScript enabled.

Pranav MS
  • 2,235
  • 2
  • 23
  • 50
0

I'd suggest server side validation and use JS/AJAX to do the client side, that way you have 1 set of validation rules on the server and you still get client side response without page refresh. Remember that some people choose not to have JS turned on (I had clients working in Government departments where JS was turned off) so you need a fallback position.

To clarify: create pre-validation JS function that posts your data using an AJAX call to the server, the server then applies the validation rules to the data and return a response (XML/JSON/whatever) to your JS validation function. Your JS will then process the response checking for success/failure. On failure display an error message (probably some data set in the response), and on success continue to post the form data to the server for processing. The server then needs to run the validation on the post data again (using the same validation function/logic) to ensure nothing has been tampered with along the way. Then, finally, process the data on the server to do whatever you want with it

Wee Zel
  • 1,294
  • 9
  • 11
  • What do you mean, use 'AJAX' to do the client side? AJAX is a script that allows communication to and from external sources such as a database. AJAX doesn't validate things. – ProEvilz Sep 14 '17 at 09:33
  • You can use AJAX to validate data using the server (on input change, focus, etc). And you can use the same validation functions on the server from the AJAX request when you submit the form. – tdoggy Sep 14 '17 at 09:37
  • What AJAX function validates stuff? You can use AJAX to SEND data to **be** validate, but it **doesn't validate** things its self. – ProEvilz Sep 14 '17 at 11:05
  • @ProEvilz "JS function that posts your data using an AJAX call to the server, the server then applies the validation rules to the data and return a response" – Wee Zel Sep 14 '17 at 11:22
  • My stuff is in response to your original post, you've since edited it and added clarifications. But to be clear, AJAX doesn't do validation, it's but a means of transferring data. – ProEvilz Sep 14 '17 at 11:24
-1

Each time user sends data to the server it gets validated on the server and returns the response whether the data is valid(200 HTTP Code) or invalid(400 HTTP Code).

Example Payload

{ "name": "@batman#123" } //Invalid data gets sent to the server and processed

This whole process consumes both memory and time. So in order to save those, we don't send the previous request at all. In the previous example client while entering his name "@batman#123" will get an error and the whole process of using server is removed.

Navjot Ahuja
  • 1,141
  • 7
  • 10
-3

From my experience and opinion you need to do validation in JS only. Yes, it can sounds weird, but no need to do server side validation. Just throw exception and 400 response code.

Using this approach you will avoid headache with issues like

we have different error messages for all fields if user use german language. Why it happen?

Also you will be available to create clean restful service at backend, and nice js frontend. Of course, if you will do this way, you should take care that your client part smart enough.

Notes:

what happens if the user turns off JS in their browser?

it will mean that user don't want to use vendor provided client service. Probably, user will see "please enable js". It will mean, that user should send valid requests (following vendor api).

How is the server side code going to decide it needs to throw an exception if you don't do validation there?

Database can throw exception because of foreign or unique or primary key constraint failed, server can throw exception due datatype mismatch. Link to newly added data will be malformed or invisible.

You can manipulate client sided javascript to do what ever you want. When I manipulated your JS validation and it goes to MySQL database, you can use XSS attack.

If you will send valid request, but with XSS attack (for an example in comment field) you will be able to perform this attack only against yourself, because only you trying to use invalid (or self-written) client side, which allow xss.

degr
  • 1,559
  • 1
  • 19
  • 37
  • And then what happens if the user turns off JS in their browser? **Client** sided validation is not enough. Yes, you can use JS for validation only provided the backend validation is also JS like via node.js. – ProEvilz Sep 14 '17 at 09:19
  • If user will turn off js, he will see error message - please enable js. From w3 RECOMMENDATIONS website should DISPLAY information without js, but majority of modern web application require js for stable work. There is only one exception from this rule - if you develop webapplication for onion, i2p or similar darknet networks. Only in this case you should take care about problem - site should work without js. But sorry, for me this is step back to past. – degr Sep 14 '17 at 10:16
  • How is the server side code going to decide it needs to throw an exception if you don't do validation there? – Quentin Sep 14 '17 at 10:30
  • `400 Bad Request` responses are supposed to be for when the client makes an error in the HTTP syntax. Not for when the data isn't acceptable. – Quentin Sep 14 '17 at 10:31
  • There is many ways. Database can throw exception because of foreign key constraint failed, server can throw exception due datatype mismatch. Link to newly added data will be invisible for all. Many of them. I did not take care about how client will submit data. He can do it using anything - he can write form, he can use cURL, he can use mobile application, or anything other. All of this ways is possible, but only one of them will be truly stable - vendor application form. – degr Sep 14 '17 at 10:36
  • `The HTTP 400 Bad Request response status code indicates that the server could not understand the request due to invalid syntax. The client should not repeat this request without modification.` – degr Sep 14 '17 at 10:37
  • @degr You can manipulate **client** sided javascript to do what ever you want. If you do not use **server side validation**, whether that be a JS or PHP backend/server then you are 100% compromised. Do not do this. E.G I can change *all* of your validation requirements and get it to submit. – ProEvilz Sep 14 '17 at 11:10
  • There is a reason why your answer has got downvoted twice and I suspect it will get downvoted even more as time goes by. – ProEvilz Sep 14 '17 at 11:11
  • When I manipulated your JS validation and it goes to MySQL database, you can use XSS attack. – ProEvilz Sep 14 '17 at 11:12
  • As I mentioned before, I absolutely did not take care how data will come to my server. You can prepare request body and request headers in notepad and send it via tcp/ip without js and html. But, if it will be invalid request, it will fail due server 400 error. If you will send valid request, but with XSS attack (in comment field) you will be able to perform this attack only against yourself, because only you trying to use invalid (or self-written) client side, which allow xss. All other users, who use vendor specific frontend will see your xss attempt as plain text. – degr Sep 14 '17 at 11:25
  • Oh. My. God. Pretty much most of things on 'things you should not do when accepting and storing data from client' in one place... One should never trust a client especially when dealing with servers. No matter what, client side verification is not enough and, the most you should be doing with it is improve the UX nothing more for the sake of your server, data etc. Throwing errors like this is just pure awful design, 404 here.. one there.. will never debug that. Server validation/sanitisation should always be there no matter what and should come way before writing for UX. – Adrian Sep 14 '17 at 19:31
  • Lol, this discussion bring no result. If you want, you may provide any example, and I will provide information how to work with it by this approach. And actually, when you throw 400 error on your server, it mean that you are take care about your input data. And yes, it mean that you did not trust to client. – degr Sep 15 '17 at 07:54
  • @degr So you do end up revalidating on the server... – Adrian Sep 15 '17 at 17:46