Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Senior Coder o0O0o.o0O0o's Avatar
    Join Date
    Jan 2008
    Location
    C:\Windows\System32
    Posts
    1,018
    Thanks
    19
    Thanked 9 Times in 9 Posts

    javascript validation vs php validation

    HI ,

    I have seen many times people saying that we have to do validation both with JS enabled and on php side if JS is disabled.

    I am doing JS validation only and i am submitting the form through JS

    like
    Code:
    this.form.submit()
    SO that if JS is disabled form should not submit at all .

    Is there any drawback in that approach or i am missing something

    Because my all site functioning based on JS so if JS is disabled there is no point in submitting data
    Please de-reputate me
    © 0o0o0o0

    Its better to rule in Hell then to serve in Heaven

  • #2
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,624
    Thanks
    6
    Thanked 1,001 Times in 974 Posts
    Well, if the functionality of your entire site is based on the availability of JS then you’re going the wrong way in the first place because you would prevent some people from using your site. Progressive enhancement is the key.

    Let me say it in a nutshell: If there is no point in submitting data if JS isn’t available then there’s also no point in showing the form at all, right? That means you should actually add that form through JS DOM manipulation. A simple example would be a “print page” link that executes window.print() on click. If JS isn’t available that link wouldn’t do anything so why show it at all? That’s why without JS the link wouldn’t even be there and it’s added with JS so only users with JS enabled see it.

  • #3
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,852
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    javascript validation is just an aid for the users to give some hints(about the expected data) before submitting the form, to save their time. Thus, if javascript is enabled, and if the user followed all the directions from the client side, the form will pass the server side validation easily and s/he won't need to recheck the form again (after submit).

    On the other hand, a server-side validation is a MUST for our pages which takes any kind of external data, to ensure the validness of our data, and also to prevent all kind of injection attacks.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #4
    Senior Coder o0O0o.o0O0o's Avatar
    Join Date
    Jan 2008
    Location
    C:\Windows\System32
    Posts
    1,018
    Thanks
    19
    Thanked 9 Times in 9 Posts
    The validation only is not the issue there are many features.
    I have made all the site using AJAX e.g TODO list adding, removing, new list dynamically.
    They won't work if JS is disabled.

    So it means every functions should be coded twice so that if JS is disabled then every function should work the same way . I think it will take too much time to code and client can't pay that much.
    I agree if thats the university site or millions of people will be using it then i agree but fro small users is it worth coding twice all the functions

    Even the yahoo new mail does not work if JS is disabled .
    And how many users will be there who have JS disabled.

    I am confused which is right way because to approach
    Last edited by o0O0o.o0O0o; 07-07-2009 at 10:40 AM.
    Please de-reputate me
    © 0o0o0o0

    Its better to rule in Hell then to serve in Heaven

  • #5
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,852
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    Even the yahoo new mail does not work if JS is disabled .
    They have a basic version too for those who have no javascript support and that's what the link given by VIPS says all about.
    I am doing JS validation only and i am submitting the form through JS

    like
    Code:
    this.form.submit()
    SO that if JS is disabled form should not submit at all .
    You need to consider the cases like
    1) someone can submit the data to your page from a custom pages (if it's not blocked by session/captcha).
    2) Client side code is not permanent. Tools like firebug allows users to edit the html very easily (changing type="button" to type="submit" and removing the onsubmit handler from the form is not a big task).
    Last edited by abduraooft; 07-07-2009 at 11:11 AM.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    You should always do server side validation, regardless of if you have client side validation. Like others have said, client side validation is just so it is easier on the user and it can save you bandwidth since it can avoid trips back and forth to the server.

    Even with AJAX stuff, when you are processing the XML request on the server side, you should validate the data (again) just to make sure everything is OK.

    Is this an Intranet or Internet site?
    OracleGuy

  • #7
    Senior Coder o0O0o.o0O0o's Avatar
    Join Date
    Jan 2008
    Location
    C:\Windows\System32
    Posts
    1,018
    Thanks
    19
    Thanked 9 Times in 9 Posts
    From now on i will validate on server side as well.
    IF i validate on server side as well , Should i use the JS to submit the form or submit form without JS is the best solution . because then i will always procedd that way in future.

    Currently its the local site , i have not put it live , so i can make the chnages.


    One thing more , how can i stop the user from submitting form through custom pages or from custom sites . I don't know what to search for?
    Please de-reputate me
    © 0o0o0o0

    Its better to rule in Hell then to serve in Heaven

  • #8
    Senior Coder Spudhead's Avatar
    Join Date
    Jun 2002
    Location
    London, UK
    Posts
    1,856
    Thanks
    8
    Thanked 110 Times in 109 Posts
    Quote Originally Posted by o0O0o.o0O0o View Post
    IF i validate on server side as well , Should i use the JS to submit the form or submit form without JS is the best solution . because then i will always procedd that way in future.
    Add an onsubmit event handler to your form that runs it through some basic validation before it gets posted off to your server. This makes it easier for your users, in that basic mistakes are caught quickly for them, and easier on your server, in that fewer invalid form submissions make it to the server to take up its valuable processing time. The javascript validation is just some basic checks. It's not supposed to be guarding against malicious or potentially unsafe input, it's just there to make sure that they've filled in something in the fields that you need. Your server-side validation is the one that runs through the input with a fine-tooth comb, making sure that it's not a SQL injection attack, or an XSS attack, or spam, or a tirade of abuse, or whatever else you don't want going in to your content database.

    Quote Originally Posted by o0O0o.o0O0o View Post
    One thing more , how can i stop the user from submitting form through custom pages or from custom sites . I don't know what to search for?
    There are many methods, that vary in their effectiveness and suitability for a particular application. Usually you'll need to combine several of them. This is by no means an exhaustive list, but some of the things I've seen/used include:

    • User logins. If your server will only accept form submissions from a valid user session, you'll eliminate a lot of spam/drive-by submissions.
    • HTTP referer. Checking this will, on the face of it, make sure that your server only accepts a form from a particular URL. However, it's easily spoofed. Checking it will stop idiots, but not sophisticated attacks.
    • IP blacklists / whitelists. Again, it'll serve as an irritation to would-be abusers, but little more. There are ways around it, but in using it you've made the target a little bit smaller for them.
    • Unique form keys. Suggested to me on another thread here that I can't find any more: basically, on your form page set a session variable to a unique value (say, an MD5 hash of the user's IP and the current timestamp). Drop that value into a hidden form field. On the server, check that the submitted form value matches the session variable; if it does, you can be pretty sure you've received a submission from your own form page.
    • Captcha's. Again, they're going to cause most casual abusers difficulty, but they're by no means 100% effective. And there are accessibility concerns with many. The relative pros and cons of captcha's probably merits a thread of its own.

  • Users who have thanked Spudhead for this post:

    o0O0o.o0O0o (07-10-2009)

  • #9
    Senior Coder o0O0o.o0O0o's Avatar
    Join Date
    Jan 2008
    Location
    C:\Windows\System32
    Posts
    1,018
    Thanks
    19
    Thanked 9 Times in 9 Posts
    Thanks buddy . Currently i am doing http referer , i think thats suffucient for now
    Please de-reputate me
    © 0o0o0o0

    Its better to rule in Hell then to serve in Heaven


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •