1

Possible Duplicate:
Why is client-side validation not enough?

What is the purpose of using the both validations at the same time? Because it's extra burden on the server for validating the form inputs in php if javascript validation is successful. Can not we use a flag and set or unset its value depending upon whether javascript validation is successful or not? And if the flag value is set, we will skip the php validation. Is it not possible? If it's not possible can you explain with a valid real life example? Or can a user modify the value of the flag even if we pass it in header?

Waiting for some logical answers.

Thank you.

Community
  • 1
  • 1
Subhra
  • 312
  • 1
  • 7
  • 18
  • The form should not be submitted if the client validation fails – Muleskinner Mar 02 '12 at 10:15
  • 5
    The user could modify the data being sent to the server after the JS validation. So the JS validation could pass, but the data received by the server is completely different. Client-side validation should only be used to provide instant feedback to the user. It should never replace server-side validation. – James Allardice Mar 02 '12 at 10:16
  • 1
    Any attacker can easily trick the server into thinking client-side validation was performed even though it wasn't. – BoltClock Mar 02 '12 at 10:16
  • Well actually you can not only relay on the javascript side validation, what if the user disables it or modifies code, so there is always needed server side validation.(//Grr other posters are so fast) – Risto Novik Mar 02 '12 at 10:17
  • 1
    PHP (serverside) validation is a must. Javascript (clientside) validation is a nice feature to have. Anything can be manipulated that comes to the server from the outside (GET, POST, cookies, etc.). – kapa Mar 02 '12 at 10:18

7 Answers7

7

Validating with JavaScript saves you a trip to the server, and creates a nice responsive user experience.

Validating with PHP is necessary so you don't get broken data, or worse (the user could disable JavaScript or post data to your PHP application in a number of ways).

Dagg Nabbit
  • 75,346
  • 19
  • 113
  • 141
4

JavaScript can be disabled by the user. It can also be manipulated because it is client side.

One thing to always keep in mind, never trust the users input. Even if you trust the users, or if the website is limited to a very small known to you audience.

So always keep server side validation.

Client side validation is for usability, so I would recommend you keep that too.

Rene Pot
  • 24,681
  • 7
  • 68
  • 92
4

The purpose quite simply is the safety.

Javascript validation is happening on the client side - in the users browser. There are no problems to disable or edit the validation to my liking by using a tool like firebug, for example, or to disable it at all by disabling javascript in my browser.

PHP validation, on the other hand, is done on the server side and the user can't interfere with that.

To sum it up, and how I like to think about it - Javascript validation is for the ease of use for the client, PHP is for actual safety.

Pankucins
  • 1,690
  • 1
  • 16
  • 25
1

You can never trust user input. JavaScript is a utility for improving user experience, not your first line of defense against malicious user behavior. JavaScript itself can be used to bypass all JavaScript validations; all someone has to do is type this command in console:

document.forms[0].submit();

Now I am not sure what is with the idea of using flags. But it just as easy for someone to "set" the flag manually if he/she can JavaScript validation.

And if you think server side validation causes burden on the server, you're being ignorant (or lazy, perhaps).

Salman A
  • 262,204
  • 82
  • 430
  • 521
0

Client side validation is primarily for user-experience and basic-validation.

While writing server side code, you should write validation to ensure security and to make sure the requests are not tampered in between.

Satish
  • 6,457
  • 8
  • 43
  • 63
0

As you might know, browsers allow the user to disable javascript. In such a case, client side validation code will not be executed. If there is no server side validation, this will create inconsistency in your application.

For example, if there is an input text field for which you application is expecting an integer value and the user inputs a non-integer value, your application is bound to misbehave and if you are using a database, it will throw some error

Sunil Kumar B M
  • 2,735
  • 1
  • 24
  • 31
0

To strengthen a point the other answers may have implicated: Not only is it possible to bypass JavaScript in a browser, but it is possible to send data to your server without even visiting your website, if an attacker analyses the requests send to and from your website.

This can be done either by a tool that manipulates the GET / POST requests (thus even using a valid session) or a tool that builds its own requests.

JavaScript validation is to help your regular users to enter well formed data, server-side validation protects your server / your data integrity

cypherabe
  • 2,562
  • 1
  • 20
  • 35