FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Two validations process





zacky
I'm wondering if i should still use PHP as my validation for the form that i've done coz i'm using Javascript on it. I know that might other users might turn off the Javascript on their browsers but i think 99.9% people use to enabled it since most of the websites nowadays use Javascript or AJAX techniques on their sites for GUI and to be more friendly user. Do you think Javascript is enough or i still should use PHP validation as my back up in case the browser doesn't accept javascript? By the way, it's only a Registration form validation...

thanks!... Very Happy Very Happy Very Happy
meep
well i know a lot of people using firefox + noscript, so using php as a backup might be a good idea, better to be safe than sorry.
rvec
95% of the internet users used javascript in January 2008 according to w3cschools.

But everyone can turn off javascript or modify it if they want, so for input verification you should never rely on it. Always keep in mind that there could be one hacker between your users who would try to send any input to you that might kill your app.

The rule: Clean everything that comes in, escape everything that goes out and whitelist everything that you use.
Fire Boar
You should always use PHP validation. You might want to add via AJAX or straight Javascript a client-side validation to help the user, but ultimately people can make a post request with any data at all, so you need to validate it when it comes in.
imagefree
zacky wrote:
I'm wondering if i should still use PHP as my validation for the form that i've done coz i'm using Javascript on it. I know that might other users might turn off the Javascript on their browsers but i think 99.9% people use to enabled it since most of the websites nowadays use Javascript or AJAX techniques on their sites for GUI and to be more friendly user. Do you think Javascript is enough or i still should use PHP validation as my back up in case the browser doesn't accept javascript? By the way, it's only a Registration form validation...

thanks!... Very Happy Very Happy Very Happy



You need to have server side validation as rvec said above, but i recommend you not to remove the javascript validation from your forms. The reason is that it gives users immediate information about the accuracy of the information submitted, or about what the site owner expects from you to submit. JS gives the best user experience.

Also it saves lot of inconvinence. Take the example of a registration form (like that of Gmail), suppose users fills in 7-8 fields and then types CAPTCHA code and submits, and then he comes to know that the submitted username is already taken, or captcha value was wrong. Now submitted values again and again would annoy users. I recently signed up for another Gmail account, and i was fedup submitting form again and again. I was in real need of that account, otherwise i would have left Gmail

Also client side validation prevents fake submissions, or indelebrate submissions by users. It reduces the burden from your server side validation script.
Fire Boar
Yes, things like "that username is already taken" or "that password is too short" should absolutely be calculated and shown to the user on the fly.
zacky
thanks guys.. I appreciate your comments and suggestions. Yeah i think it is better to leave my javascript there while my PHP serve as a back up in case something went wrong on the client side. I think it is a good habit to always put a back up instead of relying on one single validation since there's a lot of hackers walking around the globe, destroyed your entire site. thanks a lot again! Smile
imagefree
zacky wrote:
thanks guys.. I appreciate your comments and suggestions. Yeah i think it is better to leave my javascript there while my PHP serve as a back up in case something went wrong on the client side. I think it is a good habit to always put a back up instead of relying on one single validation since there's a lot of hackers walking around the globe, destroyed your entire site. thanks a lot again! Smile


Javascript would never protect you from Hackers. Infact, its the easiest thing to bypass. Also javascript will reveal some information about what you do on the server. For example if you allow only alphabets, digits, and _ in username, but your regular expression is not correct, it gives the clue that you might have same problem on the server side too. Also client side scripting gives information about the standard and accuracy of your coding.
Fire Boar
imagefree wrote:
zacky wrote:
thanks guys.. I appreciate your comments and suggestions. Yeah i think it is better to leave my javascript there while my PHP serve as a back up in case something went wrong on the client side. I think it is a good habit to always put a back up instead of relying on one single validation since there's a lot of hackers walking around the globe, destroyed your entire site. thanks a lot again! Smile


Javascript would never protect you from Hackers. Infact, its the easiest thing to bypass. Also javascript will reveal some information about what you do on the server. For example if you allow only alphabets, digits, and _ in username, but your regular expression is not correct, it gives the clue that you might have same problem on the server side too. Also client side scripting gives information about the standard and accuracy of your coding.


Quoted for truth. PHP should be your main validation, not secondary "backup" validation. Bypassing Javascript is insanely easy: in Firefox, open the Options/Preferences dialog and in the Content tab uncheck the "Enable Javascript" box. Done. I have now bypassed your validation. Call me a cracker, and I didn't write a single line of code, nor did I use any sort of malicious tool.
imagefree
Fire Boar wrote:
Quoted for truth. PHP should be your main validation, not secondary "backup" validation. Bypassing Javascript is insanely easy: in Firefox, open the Options/Preferences dialog and in the Content tab uncheck the "Enable Javascript" box. Done. I have now bypassed your validation. Call me a cracker, and I didn't write a single line of code, nor did I use any sort of malicious tool.


Smile its even easier on My Opera. I have customized a toolbar and put checkboxes on it to enable/disable javascript, flash, animation(gif), proxy, referer logging, sound, switching useragent etc.

Cracking your site is just 1 click away for me if you do not use server side validation. Feel the horror Very Happy
Fire Boar
imagefree wrote:
Fire Boar wrote:
Quoted for truth. PHP should be your main validation, not secondary "backup" validation. Bypassing Javascript is insanely easy: in Firefox, open the Options/Preferences dialog and in the Content tab uncheck the "Enable Javascript" box. Done. I have now bypassed your validation. Call me a cracker, and I didn't write a single line of code, nor did I use any sort of malicious tool.


Smile its even easier on My Opera. I have customized a toolbar and put checkboxes on it to enable/disable javascript, flash, animation(gif), proxy, referer logging, sound, switching useragent etc.

Cracking your site is just 1 click away for me if you do not use server side validation. Feel the horror Very Happy


On my Firefox too - I've installed the web developer extension which allows you to with 2 clicks disable javascript, meta redirects, CSS, cookies and referrers. And a whole bunch of other handy dandy tools. Basically, moral of the story is don't trust anything that happens client-side, make sure server-side is foolproof and only consider the possibility of client-side validation as an enhancement to the user interface.
Stubru Freak
There maybe is one exception though: checking password security. You can leave that to the client side if you're lazy. If people don't have Javascript and are too stubborn to listen when you say their password should be secure, it's their own problem.
rayxzero
PHP I suggest should always be used for your main validation. But you can always add javascript for your user inputs checking - this way it would be easier and more convenient for the users.
Related topics
British Prime Minister Blames Floods on Climate Change
Biological basis of morality
Countries in Need of Bailouts...
My Suggestion
Software Process Dashboard vs jmove
Two PhpNuke sites sharing a database
Girls... What do they really want :D
[Resolved] Can't get two domains working
Logo Design Creation Process From Concept To Completion
Reporting Process
Sun, Microsoft tout fruits of cooperation
I will share some joke in this topic(2)
The Unofficial Jokes Thread
check box validation
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.