My question is simple, I'm writing a simple login/registration form for my website using HTML, PHP and jQuery.
Is it neccesary to write the form validation in PHP also when I could use HTML-s required tag on each input and use PHP to check for username availability and password match?
I believe it is good practice to also have a validation in the back-end but it would appear that the 'required' function in HTML takes care of all that? Can this be misused easily, what are the general drawbacks of solely relying on HTML for simple form validation?
Is it neccesary to write the form validation in PHP also
You can never depend on any form of client side validation. It can always be bypassed.
People might be using browsers that don't support HTML 5 validation attributes, or might use a DOM inspector to remove them.
JavaScript solutions can be trivialy bypassed by turning off JavaScript.
Forms can be copy/pasted, edited and then submitted from a page owned by the user.
HTTP requests can be constructed by hand without going near a form.
etc. etc.
Client side validation can only ever be provided for the convenience of the user. The protection of your systems can only be handled server side.
You should never rely on the frontend validation. Nor Javascript or HTML. Users can open your reg form, use firebug or some other tool, inspect the text box and DELETE the required attribute. Also can send to your backend POSTed variable, even without opening your frontend
Validation on the server is a must
You can pretty things up however by validating on both the client and server so the user gets instant feedback, but yes it is neccesary to do validation in PHP.
It might help to think of client side validation being a usability issue and the server side validation being a security issue.
Where usability might be described as being a "nice to have", security is definitely a "must have".
Related
I'm new to web development and I don't know whether it's better to check that user filled out all the fields in a form by using "required" or to check it later using php with empty() and then return user to the front page. What are the upsides and downsides of each method?
I tried both of them and the only difference I could think of is the "Please fill out this field" box when using the html way.
Setting required in html tells users that a field is required and prevents someone from accidentally submitting a form with an empty field. However, people can still send the form with a missing field manually, by creating a request outside of a browser. The PHP should be able to handle that, though it can be as simple as returning an error.
In general, you should use client-side validation like required to tell users what to do, and server-side validation to prevent unintended behavior by bypassing the client.
The bottom line here is that your server-side code cannot cannot trust anything it receives from the client-side.
A web application receiving a HTTP request has no way of knowing whether that request came through a user-interface where some validation was applied to the data before sending, or if someone modified that user interface to remove some checks (which is easy in a browser if you have a little knowledge of the Developer Tools), or if (for example) it came from some sort of bot firing requests directly at your server, or if someone simply opened up PostMan and made the HTTP request by hand.
Therefore, in terms of security and validation, you must implement server-side validation and security procedures if you want to ensure the security and validity of your application and its data.
Client-side validation is great for improving the user experience and performance of your application (so that the user doesn't have to wait for a round-trip to the server before they get feedback on the validity of data they are trying to submit), but since it easily can be bypassed or disabled you cannot rely on that alone to protect your application.
Those are both necessary for making a secure and robust app. That is front-end and back-end validation.
The front-end validation makes it so the user cannot accidentally fill unwanted data into the fields shown. That ensures that users are using the app as intended.
The back-end validation makes sure that the values that are coming in are always values that are expected. What makes this different is that people can bypass front-end validation quite easily, and thus they will abuse this by inserting bad data in your app which can break your whole app completely.
It is necessary to check the validity of the data received from the user on the server, so you must set conditions for it on the server so that invalid data does not enter the database.
Also, to improve the user experience, it is better to have controls in html in addition to the server, this will even make the server not always check and reject the wrong request, so use both of them together.
I want to validate the data that the user enters in a form. I have only a username and two fields for the password. My first question is that I check the data with javascript and it works fine, but i want to check the data with php too incase javascript is not working. In case the javascript is not working the data will be checked from the php code, but my problem is that if javascript is working then the data will be checked from javascript and php too. Is this fine? Is there any way to avoid checking with php when the input data are checked by javascript? Also I am checking the inputs(username and password) for the number of characters, for characters(i don't permit special characters, only "_", "." numbers and letters in order to avoid sql injection) - how does it sound to you? Do you have any other suggestion for better validation?
Thank you in advance.
You should always do a serverside(php) validation of userinput. a clientside(javascript) validation is only good for a better user-experience. Also you should not restrict the input to some characters for mysql injection prevention, there are other reliable methods for this.
Yes, you should validate both client-side (JS) and server-side (PHP).
Do so on the client for convenience for your user and for a better user experience.
Do so on the server to prevent a malicious attack, or, as you stated, in case your user has JS disabled.
You should always perform server side validation. There is no guarantee that client-side validation (such as javascript validation) cannot be defeated. It's a simple exercise to grab a debugging tool (any many are built into browser nowadays) and circumvent javascript validation.
Typically there is nothing wrong and is even recommended to do validation in both places in Javascript and PHP.
Checking both ways is fine and definitely recommended. If you wanted to avoid checking with PHP if Javascript is enabled, you could append a hidden field to the form and check for this with PHP.
E.G.
if(!isset($_POST['js_hidden_field'])) {
// Run Validation
}
So you check for the hidden field, if it's not set then run the PHP Validation
This is actually good, you can never do too much validation in my opinion. Client side scripting can be manipulated by anyone with web development experience but server side scripting cannot.
client side scripting validation pros:
Alerts the user before submitting data allowing them to correct themselves
Makes your site look a little more sophisticated
server side validation pros:
no one can change any validation rules you have
they cannot turn off server side validation.
In short, doing both is good, it's actually better than just doing one or the other.
When is comes to form validation, which is the best method to proceed with? With HTML5, you can validate the e-mail address and telephone number but usually I would do this with PHP, so which method is better? Or should I validate the input in HTML5 and PHP?
Both.
Rule of thumb:
Validate client-side to provide users with a better experience.
Validate server-side to ensure 100% the data you receive is what you expect.
Always validate with a server side programming language, additionally you could use a client side validation. The reason for this is that everything can be modified client side and thus bypass any client side validation. It's not even hard and there are a lot of tools available for people to modify the html and/or Javascript to submit whatever they want.
The golden rule is, never trust the user. Expect the worst and prepare for that. You can and should use tools such as firebug or other web developer tools to try things out.
You should do both. HTML5 and/or JavaScript validation on the client-side to save the user a page load, and PHP validation because you can never, ever fully trust the client-side.
I prefer both. It is nice when filling out a form to be notified if something doesn't match. However you can't rely on JS validation as it is easily bypassed so server side is required.
The answer both is correct. Not a preference (as some have stated) but a requirement. All HTML (including HTML5) can be edited directly on your page via the browser. Just like using Firebug to edit this page's title, you can edit the HTML input validators and if they don't have server-side validation, it will accept anything you put in there. Handling validation with HTML5 only is like inviting hackers to corrupt all of your db tables. Do you want that?
I found this last comment on this stupid guy's site as a clear example: http://demosthenes.info/blog/462/Goodbye-JQuery-Validation-HTML5-Form-Errors-With-CSS3
Most of the professional programmers have the approach of validating input fields with server side scripting language. Server side form validation using PHP is better than HTML5 and client side form validations in a number of ways:
HTML5 contains few attributes which automatically validates input fields for example:email,telephone,etc. These attribtues are limited. whereas in real world, there are many forms which have some fields which cant be directly validated through HTML5.
If you are thinking about clients side valdiation using javscript as the second option then keep in mind that javascript can be turned off in browser. so it will ultimately affect the user experience.so its better to valdiate your forms through server side scripting lanugae like PHP.
You should adopt the above approach for websites containing sensitive data. but
I really like the idea of validating forms client-side before doing so server-side. If the client's validation passes, I can use Javascript to submit the form.
However, I have heard that some specialized browser, like browsers for the visually impaired, don't support Javascript. Therefore, those users won't be able to submit my forms. Should I therefore avoid what I just thought of doing, or is it alright?
EDIT: (In response to answers): I guess I didn't explain that, but I was planning on doing server-side validation in addition to client-side. Sorry!
Thanks
Javascript is a nice touch to validation. It lets the user know right away that something is wrong, plus it minimises potential calls to the database.
If there are browsers out there that disable javascript for accessibility reasons, you shouldn't worry to much. That's what the server-side checking helps with.
So you should use both, and test with javascript turned on or off. NEVER use javascript as a sole validator - you could just turn javascript off in your browser and the POST data would go through!
You should do both client-side validation and server-side validation. Everything you catch with client-side validation is an opportunity to improve the user experience for your users and tell them exactly what is missing or wrong before they submit the form. If, for any reason, javascript is not enabled, you will still validate on the server (as you always should) and can return errors through the form response from the server if you have to.
So, it's always a good idea to use client-side validation if available.
Is client-side validation smart? Yes, clean input is better for performance than input that will error out.
Great UX? Yes, it's important for a user to get quick, relevant feedback.
Safe? No. Not at all. Hackers don't use your interface to hack your site.
More and more browsers can be site-selective about running JS.
Lastly, if you are concerned about equal access, your best bet is to build accessible versions of the site.
Client side validation often improves user experience, as the user can immediately see whether his data is valid or not.
If it is some simple validation, like pattern matching or length checking for passwords, definitely do it. But of course it is not a substitution for server side validation, it is not a security means in any way. Never trust user input.
Integrate the client side validation in an unobtrusive way, so that form submission still works if JS is turned off.
"Both And" is the answer. Validate client side as a convenience and as a way to better the user experience, but you should always validate server side.
Browsers without JavaScript won't execute the JavaScript at all, so they will still be able to submit your form. Don't worry.
Client side validation is done by interceptin the normal submit event and return true or false based on whether the form is valid. In this way, when javascript is not enabled, the submission is not intercepted and proceeds as normal.
It is one of the easiest things to degrade gracefully, fortunately :)
Not sure we can say it's smart to handle form "control" before submitting : this is "only" client comfort, as these controls... are just not valid from the security standpoint. So this is adding coding efforts for no added value from the security prospective. But this is adding effort for client comfort. And THIS is smart.
The simple way :
No client-side control at all, only server side. No need that js is enabled on the client-side.
This is the point that shall be always enabled and full security valid.
The intermediate way:
Implementing the simple way and adding some javascript "controls" on top, "hand coded" or using js librairies. This is the fastidious way as this is adding a layer on top of the existing server core code, and generally means some server-side code changes or refactoring. So this is the worst way according to me. But this is a good way to learn and understand the client-server exchanges. Painful but useful.
The best way:
Base all your efforts on server-side validation but make sure, from the coding starting point, to be able to embed also the "nice to have", eg. the client-side nice "controls". Which means you have to think of your code architecture before starting writing any line. How to do that ? use Ajax coded forms on the server side. Which suggests the way of coding ideally with specific php form classes. For example, ZendFramework is providing such kind of possibilities using either dojo or jQuery.
Its always better to have "Cleaner" data passed into the server.
Prevents errors and malicous data.
I am done with validation using javascript for a form in PHP.
When is there any need for PHP validation?
javascript validation in itself ensures that all the fields are filled up. Is there a possibility to check the valid format of the inputs using javascript?
Yes
Client Side (Javascript) validation is only to help innocent users find out any errors in their forms without the need for a trip to the server and page reload.
Server side (PHP) validation is needed to prevent malicious users from submitting malformed queries to your server and gain access to your data.
Please note that client side validation only works on the forms you make. A malicious user can make her own form and submit to your server quite easily - thus completely bypassing your client side validation.
Conclusion: You need both forms of data validation.
Validation with javascript is great for useability, but without server side validation you leave yourself open to malicious input and bad data.
Javascript ensure the validation client-side but:
could be disabled
form can be submitted to your server by a "bad guy" from a custom page
so both are required IMHO
In general, a user has control over what data is submitted to a form handler, so you need to validate and sanitize it before it's safe. She might not even use a browser.
Yes, if JavaScript is disabled in client broser then server side validation is necessary.
telnet yoursite.com 80
GET /yourapp.php?name=');drop%20table%20users;-- HTTP/1.1
Host: yoursite.com
Bad things happen when you don't do server side sanitation.
Slightly less important than preventing your site from getting owned by anyone with a little bit of knowledge, not everyone will have javascript turned on, so you want to provide worthwhile error messages for them as well (not to mention, avoiding running with bad data, creating users with empty email addresses or names, as a non-malicious example).
But what is the purpose of using the both validations at the same time? Because it's extra burden for the server for validating the form inputs in php if javascript validation is successful. Can not we use a flag and set or unset it's value depending upon whether javascript validation is successful or not? And if the flag value set we will skip the php validation. Is not it possible? If it's not possible can you explain with a valid real life example? Or can a user modify the value of the flag even if we pass it in header? Waiting for some logical answers. Thank you.