If you are a usability nut, then keep moving to the next thread.

For the rest of you who care less about paranoid individuals that disable javascript (they disable js and you think they will leave their CC number with you, huh :D :D) here is an idea how to aviod the need of double-checking user input on the server:

in your form action put a page that informs the visitor about the need to have js enabled:
<form .... action="youneedjs.html" .... onSubmit="validate(this)">

in your validation function add a line (that is executed if validation is successful):
this.action = "processinput.asp"

As a result your form is never processed unless javascript was enabled!!!

heh, simple yet does the job. I'll remember that. :)

Not a bad idea. :)

I have achieved the same effect by encrypting the <form>, thus,

<script>
<!--
document.write(unescape("%3CFORM%20action%3D%22http%3A//www.mydomain.co.uk/cgi-bin/formmail.pl%22%3E%0D%0A"));
//-->
</script>

If Javascript is disabled then the form does not exist!

Originally posted by Philip M
I have achieved the same effect by encrypting the <form>, thus,

<script>
<!--
document.write(unescape("%3CFORM%20action%3D%22http%3A//www.mydomain.co.uk/cgi-bin/formmail.pl%22%3E%0D%0A"));
//-->
</script>

If Javascript is disabled then the form does not exist!
But your HTML code becomes invalid, unless ALL your form is inside document.write
Also, what's the point of escaping? if JS is off it would not be written anyway.

Originally posted by Vladdy
As a result your form is never processed unless javascript was enabled!!!

That is what you hope will happen, but it's not guaranteed to happen. Any user capable of JavaScript can grab the form's real action attribute value from the JS code, insert it via JS or make his own form, and thus bypass your validation routines. It is a neat trick to urge people to use JS, but it is *not* secure. You will have to do server-side validation anyway to protect for the eventual cracker, and seriously, those are the ones you really ought to protect against.

Originally posted by mordred
That is what you hope will happen, but it's not guaranteed to happen. <snip> You will have to do server-side validation anyway to protect for the eventual cracker, and seriously, those are the ones you really ought to protect against.
True, but these can be considered two different tasks.
1. Validation verifies that the data is appropriate for the field i.e. phone number has certain format, so does e-mail. This can be accomplished on the client and does not have to be repeated on the server.
2. Hacking protection makes sure no field contains potentially harmfull code. In this case you look for certain words or symbols i.e. "<script>" which are independent from the field itself. This still needs to be done on the server, but the procedure is significantly simpler.

client-side validation can be bypassed even if javascript is enabled.

just type it in the address bar:

javascript:document.formName.onsubmit=function(){return true};alert('onsubmit handler changed!');

if you call a function that submits the form on click of a button:

javascript:document.formName.buttonName.onclick=null;alert('onclick handler changed!');

It doesn't mean that if javascript is enabled, your functions will always be executed. So it's always better to have server-side checking too.

Yup, as a matter of fact I'll sometimes submit forms on purpose like this (for instance when I have to test server-side functionality on a form that has javascript validation in place, or want to fill out all of the fields by pasting in the address bar).