Form validation mostly in JavaScript, only security validation server-side

Question

I am building an obscure application which is only available after an involved sign-up process, so submitting malicious data should not occur often.

I use Codeigniter 2.1 to filter all POST variables. Codeigniter uses the PHP function mysql_real_escape_string among other measures to prevent a sql injection attack through POST data.

I do all my validation client-side using JavaScript. The JavaScript validation runs well. Of course, a user could use cURL or some other utility to bypass the client-side validation, but the stock PHP validation in Codeigniter should prevent SQL injection, right?

Can I do my validation client-side and trust Codeigniter to protect the database from a SQL injection attack?

SQL Injection is only one thing to worry about (you are probably safe against that one). You should **always use server-side validation**, Javascript validation is just a convenience feature (Javascript can even be turned off, it's worth nothing when you talk about security). Users can send ANY kind of data, they can manipulate your forms, they don't even need cURL. — kapa, Mar 08 '12 at 10:23
I agree server side validation should be implemented, and Codeigniter does implement a level of server side validation. The question: does Codeigniter do enough validation, not is any validation required at all. — steampowered, Jul 05 '12 at 17:48
Certainly not enough. It can prevent some types of attacks, but you always have to be strict. If you expect a date, only accept a date. If you expect a number, only accept a number. Etc. You should consider client-side validation not existing. Also, filtering and validation is not the same. — kapa, Jul 05 '12 at 17:51

score 2 · Accepted Answer · answered Mar 08 '12 at 10:20

This is what codeigniter claims. You can find this in system/core/Security.php file

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

score 1 · Answer 2 · edited May 23 '17 at 12:20

1

It's pretty simple IMHO. If it uses mysql_real_escape_string you are not safe in all cases. See this answer for more information: Best way to prevent SQL Injection in PHP.

Besides the fact you are not safe it also uses outdated functions for talking to mysql.

Also: you should always do server side validation! never ever trust the client side ever!

edited May 23 '17 at 12:20

Community

1
1

answered Jul 05 '12 at 16:39

PeeHaa

71,436
58
190
262

I agree server side validation should be implemented, and Codeigniter does implement a level of server side validation. The question: does Codeigniter do enough validation, not is any validation required at all. – steampowered Jul 05 '12 at 17:48

Form validation mostly in JavaScript, only security validation server-side

2 Answers2