0

I was making registration form for my project and I have validated it using JavaScript only, It perfectly validates every field and works pretty well. I have made the submission of the form to database fully dependent on the JavaScript i.e using hidden type input fields to capture the JavaScript validated values and be submitted to the database. If JavaScript feature is disabled nothing will be submitted to database. I couldn't find any suitable realtime validator other than this for php form plus its my first time doing project. (The project is intended to work on local server in a company.) So I just want to know if I am doing the right thing. Please give me your suggestions on this.

Sara F.
  • 13
  • 2
  • 2
    You must validate on server and take care with incoming data escaping it properly if you're using it in SQL or output-ing to HTML. The reason is you can submit data using external tool, and your server wouldn't know the difference. – IT goldman Jul 29 '22 at 17:09

2 Answers2

0

That works fine for normal users, but for malicious actors who wish to hack into your app, they can send requests to your end points however they like. So for instance, if you are accepting HTML form inputs, and using those in database queries, they may bypass your javascript and try to send SQL injection attacks. So at the very least, you will want to either use prepared database statements, or use something like mysqli_real_escape_string() on your string inputs, and type casting (int), (float) on your number inputs, before inserting them into any SQL.

You will also want to read about the vulnerabilities of both of these methods, as there are rare edge cases that can still find ways into your system, if you are using certain character sets for your database, etc, or so I have read.

And if you are using any user-supplied inputs and putting them into an email body, you will want to research email injection attacks as well.

It is still good practice to validate client side as well, as it provides a better user experience.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83
0

In general, you should never rely on client-side validation, because you can't trust the client.

You can use client-side validation for real-time feedback, but always validate data on the server.

If JavaScript feature is disabled nothing will be submitted to database.

This assumes that the user only uses the interface you provided. In the background, the form submission only triggers a HTTP POST request to your server that can be modified (and sent from outside your application and thereby bypass your client-side validation completely).

EinLinuus
  • 625
  • 5
  • 16