12-31-2007, 11:22 AM
I just wanted to check if it was possible to do clients side and server side form validation in the same form. I think it should be ok, but it may be a bit complex. The reason it my forms a so big that I want the user experience to be a best as possible. So when all the client side validation is done I wil move on to server side validation.
Is this a good idea?
12-31-2007, 11:56 AM
That would be good I guess,although I've got a bit of a learning curve there!
12-31-2007, 04:39 PM
mootools has a fairly simple validation script you can use. Here's a nice example to show how easy it is. You should be able to do client side validation on the fields with this and then pass it to the server from there.
12-31-2007, 11:11 PM
The server side validation is then done AFTER the form is submitted.
You can't do the server side validation via Ajax as that then places it under your visitors control and they can turn it off and submit anything at all in the form.
Make sure that the server side validation is thorough and doesn't allow anything through that is not acceptable data. The client side validation does not need to be as thorough since the server side validation will still catch any errors that the client side missed. Testing client side for situations that will rarely occur and which require a huge amount of code to test will detract from rather than enhance visitor experience.
01-01-2008, 07:55 AM
01-01-2008, 08:36 AM
No, you cannot trust any data that is submitted to the server. It must be validated after it has been submitted.
A bot script could send http requests that satisfies your AJAX server side script (assuming that your script is keeping track if validation was successful) with a single valid email address and then submit a list of email address or a list containing an html encoded BCC:... to the actual form processing code.
The form processing code is the last and most important line of defense. It must check all input it receives.
01-01-2008, 12:07 PM
OK, ill just keep my server side stuff the way it was then. However even Yahoo registration form looks like it uses ajax for registration
01-01-2008, 06:27 PM
Yahoo has also developed a large library of code called YUI, including Ajax functions. So yes they use Ajax, but they don't abandon server side validation. Its true, if someone doesn't have JS on, Ajax fails and you have to make sure things are validated on the server. You can have a hybrid of a page which when JS is on will do the validation through Ajax while its inputted and when JS is off does it all at the end. Depends on server load and such.
01-01-2008, 07:47 PM
But you would want to re-run that check on the server once the form has been submitted anyways.