...

View Full Version : javascript validation vs php validation



o0O0o.o0O0o
07-07-2009, 11:08 AM
HI ,

I have seen many times people saying that we have to do validation both with JS enabled and on php side if JS is disabled.

I am doing JS validation only and i am submitting the form through JS

like
this.form.submit()

SO that if JS is disabled form should not submit at all .

Is there any drawback in that approach or i am missing something

Because my all site functioning based on JS so if JS is disabled there is no point in submitting data

VIPStephan
07-07-2009, 11:19 AM
Well, if the functionality of your entire site is based on the availability of JS then you’re going the wrong way in the first place because you would prevent some people from using your site. Progressive enhancement (http://en.wikipedia.org/wiki/Progressive_enhancement) is the key.

Let me say it in a nutshell: If there is no point in submitting data if JS isn’t available then there’s also no point in showing the form at all, right? That means you should actually add that form through JS DOM manipulation. A simple example would be a “print page” link that executes window.print() on click. If JS isn’t available that link wouldn’t do anything so why show it at all? That’s why without JS the link wouldn’t even be there and it’s added with JS so only users with JS enabled see it.

abduraooft
07-07-2009, 11:23 AM
javascript validation is just an aid for the users to give some hints(about the expected data) before submitting the form, to save their time. Thus, if javascript is enabled, and if the user followed all the directions from the client side, the form will pass the server side validation easily and s/he won't need to recheck the form again (after submit).

On the other hand, a server-side validation is a MUST for our pages which takes any kind of external data, to ensure the validness of our data, and also to prevent all kind of injection attacks.

o0O0o.o0O0o
07-07-2009, 11:38 AM
The validation only is not the issue there are many features.
I have made all the site using AJAX e.g TODO list adding, removing, new list dynamically.
They won't work if JS is disabled.

So it means every functions should be coded twice so that if JS is disabled then every function should work the same way . I think it will take too much time to code and client can't pay that much.
I agree if thats the university site or millions of people will be using it then i agree but fro small users is it worth coding twice all the functions

Even the yahoo new mail does not work if JS is disabled .
And how many users will be there who have JS disabled.

I am confused which is right way because to approach

abduraooft
07-07-2009, 11:57 AM
Even the yahoo new mail does not work if JS is disabled . They have a basic version too for those who have no javascript support and that's what the link given by VIPS says all about.

I am doing JS validation only and i am submitting the form through JS

like

this.form.submit()

SO that if JS is disabled form should not submit at all .
You need to consider the cases like
1) someone can submit the data to your page from a custom pages (if it's not blocked by session/captcha).
2) Client side code is not permanent. Tools like firebug allows users to edit the html very easily (changing type="button" to type="submit" and removing the onsubmit handler from the form is not a big task).

oracleguy
07-07-2009, 05:10 PM
You should always do server side validation, regardless of if you have client side validation. Like others have said, client side validation is just so it is easier on the user and it can save you bandwidth since it can avoid trips back and forth to the server.

Even with AJAX stuff, when you are processing the XML request on the server side, you should validate the data (again) just to make sure everything is OK.

Is this an Intranet or Internet site?

o0O0o.o0O0o
07-08-2009, 01:58 AM
From now on i will validate on server side as well.
IF i validate on server side as well , Should i use the JS to submit the form or submit form without JS is the best solution . because then i will always procedd that way in future.

Currently its the local site , i have not put it live , so i can make the chnages.


One thing more , how can i stop the user from submitting form through custom pages or from custom sites . I don't know what to search for?

Spudhead
07-09-2009, 12:35 PM
IF i validate on server side as well , Should i use the JS to submit the form or submit form without JS is the best solution . because then i will always procedd that way in future.

Add an onsubmit event handler to your form that runs it through some basic validation before it gets posted off to your server. This makes it easier for your users, in that basic mistakes are caught quickly for them, and easier on your server, in that fewer invalid form submissions make it to the server to take up its valuable processing time. The javascript validation is just some basic checks. It's not supposed to be guarding against malicious or potentially unsafe input, it's just there to make sure that they've filled in something in the fields that you need. Your server-side validation is the one that runs through the input with a fine-tooth comb, making sure that it's not a SQL injection attack, or an XSS attack, or spam, or a tirade of abuse, or whatever else you don't want going in to your content database.


One thing more , how can i stop the user from submitting form through custom pages or from custom sites . I don't know what to search for?

There are many methods, that vary in their effectiveness and suitability for a particular application. Usually you'll need to combine several of them. This is by no means an exhaustive list, but some of the things I've seen/used include:


User logins. If your server will only accept form submissions from a valid user session, you'll eliminate a lot of spam/drive-by submissions.
HTTP referer. Checking this will, on the face of it, make sure that your server only accepts a form from a particular URL. However, it's easily spoofed. Checking it will stop idiots, but not sophisticated attacks.
IP blacklists / whitelists. Again, it'll serve as an irritation to would-be abusers, but little more. There are ways around it, but in using it you've made the target a little bit smaller for them.
Unique form keys. Suggested to me on another thread here that I can't find any more: basically, on your form page set a session variable to a unique value (say, an MD5 hash of the user's IP and the current timestamp). Drop that value into a hidden form field. On the server, check that the submitted form value matches the session variable; if it does, you can be pretty sure you've received a submission from your own form page.
Captcha's. Again, they're going to cause most casual abusers difficulty, but they're by no means 100% effective. And there are accessibility concerns with many. The relative pros and cons of captcha's probably merits a thread of its own.

o0O0o.o0O0o
07-11-2009, 12:39 AM
Thanks buddy . Currently i am doing http referer , i think thats suffucient for now



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum