When is comes to form validation, which is the best method to proceed with? With HTML5, you can validate the e-mail address and telephone number but usually I would do this with PHP, so which method is better? Or should I validate the input in HTML5 and PHP?
Both.
Rule of thumb:
Validate client-side to provide users with a better experience.
Validate server-side to ensure 100% the data you receive is what you expect.
Always validate with a server side programming language, additionally you could use a client side validation. The reason for this is that everything can be modified client side and thus bypass any client side validation. It's not even hard and there are a lot of tools available for people to modify the html and/or Javascript to submit whatever they want.
The golden rule is, never trust the user. Expect the worst and prepare for that. You can and should use tools such as firebug or other web developer tools to try things out.
You should do both. HTML5 and/or JavaScript validation on the client-side to save the user a page load, and PHP validation because you can never, ever fully trust the client-side.
I prefer both. It is nice when filling out a form to be notified if something doesn't match. However you can't rely on JS validation as it is easily bypassed so server side is required.
The answer both is correct. Not a preference (as some have stated) but a requirement. All HTML (including HTML5) can be edited directly on your page via the browser. Just like using Firebug to edit this page's title, you can edit the HTML input validators and if they don't have server-side validation, it will accept anything you put in there. Handling validation with HTML5 only is like inviting hackers to corrupt all of your db tables. Do you want that?
I found this last comment on this stupid guy's site as a clear example: http://demosthenes.info/blog/462/Goodbye-JQuery-Validation-HTML5-Form-Errors-With-CSS3
Most of the professional programmers have the approach of validating input fields with server side scripting language. Server side form validation using PHP is better than HTML5 and client side form validations in a number of ways:
HTML5 contains few attributes which automatically validates input fields for example:email,telephone,etc. These attribtues are limited. whereas in real world, there are many forms which have some fields which cant be directly validated through HTML5.
If you are thinking about clients side valdiation using javscript as the second option then keep in mind that javascript can be turned off in browser. so it will ultimately affect the user experience.so its better to valdiate your forms through server side scripting lanugae like PHP.
You should adopt the above approach for websites containing sensitive data. but
Related
My question is simple, I'm writing a simple login/registration form for my website using HTML, PHP and jQuery.
Is it neccesary to write the form validation in PHP also when I could use HTML-s required tag on each input and use PHP to check for username availability and password match?
I believe it is good practice to also have a validation in the back-end but it would appear that the 'required' function in HTML takes care of all that? Can this be misused easily, what are the general drawbacks of solely relying on HTML for simple form validation?
Is it neccesary to write the form validation in PHP also
You can never depend on any form of client side validation. It can always be bypassed.
People might be using browsers that don't support HTML 5 validation attributes, or might use a DOM inspector to remove them.
JavaScript solutions can be trivialy bypassed by turning off JavaScript.
Forms can be copy/pasted, edited and then submitted from a page owned by the user.
HTTP requests can be constructed by hand without going near a form.
etc. etc.
Client side validation can only ever be provided for the convenience of the user. The protection of your systems can only be handled server side.
You should never rely on the frontend validation. Nor Javascript or HTML. Users can open your reg form, use firebug or some other tool, inspect the text box and DELETE the required attribute. Also can send to your backend POSTed variable, even without opening your frontend
Validation on the server is a must
You can pretty things up however by validating on both the client and server so the user gets instant feedback, but yes it is neccesary to do validation in PHP.
It might help to think of client side validation being a usability issue and the server side validation being a security issue.
Where usability might be described as being a "nice to have", security is definitely a "must have".
I am using JQuery and Javascript extensively in my new project including form validation because I don't want to burden server using PHP validation. So I am restricting my site from the people who disabled Javascript on their browsers. I am trying to redirect them using meta tag:
<meta http-equiv="refresh" content="2; URL=../../enablejs.html">
I assume that this is safe because if javascript is not enabled they will not be able to access my site.
But still I have a doubt over this and need your advice. Is it completely safe? If not what are the area I need to concetrate?
This is a terrible, terrible idea.
because I don't want to burden server using PHP validation
You mean, you don't want to burden yourself with implementing it :)
I can relate. Everyone hates doing stuff twice. But server side validation is not a negotiable extra; client side validation can be easily circumvented and is for user convenience only. Server side validation is always needed for safety and security.
Apart from it being a bad idea, there is no way of reliably excluding users who have JavaScript turned off. JavaScript runs on client side, and its presence or non-presence can be easily faked to the server.
Client-side anything is never ever safe. You always need server-side validation. It's not a "burden", it's a necessity. I don't even need your website to submit (unvalidated) data to your server, in the end it all just boils down to HTTP requests. If you do not validate everything the user does on the server, you have no security.
I am using Jquery and Javascript extensively in my new project including form validation because I don't want to burden server using PHP validation.
That shouldn't save a significant burden. It should give faster feedback to users though, which is good.
So I am restricting my site from the people who disabled Javascript on their browsers.
That is a waste of time. The proportion of submissions in that which will be from users with JS disabled will be tiny.
I am trying to redirect them using meta tag
That's a very user hostile thing to do.
I assume that this is safe because if javascript is not enabled they will not be able to access my site.
If you mean that it avoids the need to write server side validation routines, then you are wrong. If someone wants to attack the site (rather then submit bad data by accident) then they can construct HTTP requests manually.
No that's not safe. Client side validations are nowhere safe. With javascript enabled anyone can bypass your validations. Using chrome console I can probably alter any text on your input boxes or any other input method without you validation noticing it.
Use server side validation or you're screwed.
No, this is not safe. Never rely on the browser for form validation. Form validation in the browser should only be to improve user experience, not to protect your data. You need to add some PHP validation.
Also, are people who have JavaScript disabled not supposed to use your site? You should make JavaScript degrade gracefully so that your site is still usable without it.
Using client side validation is a recipe for disaster "never ever trust clients input" clients inputs are GET (URL included), POST, FLash ...
All inputs should be validated by server side scripting language like PHP, ASP.net, java ...
If you use PHP then check http://www.phpclasses.org/ and look for form validation scripts and Cross-site scripting (XSS). Or use validation classes offered in frameworks like zend, codeigniter
http://en.wikipedia.org/wiki/Cross-site_scripting
I want to validate the data that the user enters in a form. I have only a username and two fields for the password. My first question is that I check the data with javascript and it works fine, but i want to check the data with php too incase javascript is not working. In case the javascript is not working the data will be checked from the php code, but my problem is that if javascript is working then the data will be checked from javascript and php too. Is this fine? Is there any way to avoid checking with php when the input data are checked by javascript? Also I am checking the inputs(username and password) for the number of characters, for characters(i don't permit special characters, only "_", "." numbers and letters in order to avoid sql injection) - how does it sound to you? Do you have any other suggestion for better validation?
Thank you in advance.
You should always do a serverside(php) validation of userinput. a clientside(javascript) validation is only good for a better user-experience. Also you should not restrict the input to some characters for mysql injection prevention, there are other reliable methods for this.
Yes, you should validate both client-side (JS) and server-side (PHP).
Do so on the client for convenience for your user and for a better user experience.
Do so on the server to prevent a malicious attack, or, as you stated, in case your user has JS disabled.
You should always perform server side validation. There is no guarantee that client-side validation (such as javascript validation) cannot be defeated. It's a simple exercise to grab a debugging tool (any many are built into browser nowadays) and circumvent javascript validation.
Typically there is nothing wrong and is even recommended to do validation in both places in Javascript and PHP.
Checking both ways is fine and definitely recommended. If you wanted to avoid checking with PHP if Javascript is enabled, you could append a hidden field to the form and check for this with PHP.
E.G.
if(!isset($_POST['js_hidden_field'])) {
// Run Validation
}
So you check for the hidden field, if it's not set then run the PHP Validation
This is actually good, you can never do too much validation in my opinion. Client side scripting can be manipulated by anyone with web development experience but server side scripting cannot.
client side scripting validation pros:
Alerts the user before submitting data allowing them to correct themselves
Makes your site look a little more sophisticated
server side validation pros:
no one can change any validation rules you have
they cannot turn off server side validation.
In short, doing both is good, it's actually better than just doing one or the other.
I really like the idea of validating forms client-side before doing so server-side. If the client's validation passes, I can use Javascript to submit the form.
However, I have heard that some specialized browser, like browsers for the visually impaired, don't support Javascript. Therefore, those users won't be able to submit my forms. Should I therefore avoid what I just thought of doing, or is it alright?
EDIT: (In response to answers): I guess I didn't explain that, but I was planning on doing server-side validation in addition to client-side. Sorry!
Thanks
Javascript is a nice touch to validation. It lets the user know right away that something is wrong, plus it minimises potential calls to the database.
If there are browsers out there that disable javascript for accessibility reasons, you shouldn't worry to much. That's what the server-side checking helps with.
So you should use both, and test with javascript turned on or off. NEVER use javascript as a sole validator - you could just turn javascript off in your browser and the POST data would go through!
You should do both client-side validation and server-side validation. Everything you catch with client-side validation is an opportunity to improve the user experience for your users and tell them exactly what is missing or wrong before they submit the form. If, for any reason, javascript is not enabled, you will still validate on the server (as you always should) and can return errors through the form response from the server if you have to.
So, it's always a good idea to use client-side validation if available.
Is client-side validation smart? Yes, clean input is better for performance than input that will error out.
Great UX? Yes, it's important for a user to get quick, relevant feedback.
Safe? No. Not at all. Hackers don't use your interface to hack your site.
More and more browsers can be site-selective about running JS.
Lastly, if you are concerned about equal access, your best bet is to build accessible versions of the site.
Client side validation often improves user experience, as the user can immediately see whether his data is valid or not.
If it is some simple validation, like pattern matching or length checking for passwords, definitely do it. But of course it is not a substitution for server side validation, it is not a security means in any way. Never trust user input.
Integrate the client side validation in an unobtrusive way, so that form submission still works if JS is turned off.
"Both And" is the answer. Validate client side as a convenience and as a way to better the user experience, but you should always validate server side.
Browsers without JavaScript won't execute the JavaScript at all, so they will still be able to submit your form. Don't worry.
Client side validation is done by interceptin the normal submit event and return true or false based on whether the form is valid. In this way, when javascript is not enabled, the submission is not intercepted and proceeds as normal.
It is one of the easiest things to degrade gracefully, fortunately :)
Not sure we can say it's smart to handle form "control" before submitting : this is "only" client comfort, as these controls... are just not valid from the security standpoint. So this is adding coding efforts for no added value from the security prospective. But this is adding effort for client comfort. And THIS is smart.
The simple way :
No client-side control at all, only server side. No need that js is enabled on the client-side.
This is the point that shall be always enabled and full security valid.
The intermediate way:
Implementing the simple way and adding some javascript "controls" on top, "hand coded" or using js librairies. This is the fastidious way as this is adding a layer on top of the existing server core code, and generally means some server-side code changes or refactoring. So this is the worst way according to me. But this is a good way to learn and understand the client-server exchanges. Painful but useful.
The best way:
Base all your efforts on server-side validation but make sure, from the coding starting point, to be able to embed also the "nice to have", eg. the client-side nice "controls". Which means you have to think of your code architecture before starting writing any line. How to do that ? use Ajax coded forms on the server side. Which suggests the way of coding ideally with specific php form classes. For example, ZendFramework is providing such kind of possibilities using either dojo or jQuery.
Its always better to have "Cleaner" data passed into the server.
Prevents errors and malicous data.
I was wondering if it is really necessary to validate in both JS and PHP?
I have my submit button with JS document.myform.submit()sending with PHP POST to the same page.
If a user disables JS he can not send the form anyway.
So I wanted to ask about security, can someone send the variables in another way bypassing the javascript? How would they do this?
And if they can, the answer if I should validate in PHP as well would be YES, right?
The answer is simple.
Server-side is obligatory and must be done unconditionally.
Client-side validation is optional, just for user's convenience.
Thus, validating on both sides isn't necessary but preferred for sake of usability
If a user disables JS he can not send the form anyway.
lol. user can save your form on their local disk and edit it in a way they want.
yes, someone can send the variables using urllib2 in python for instance. This is very easy to do. If you are only going to do one set of validations, do it server side. doing it client side is nothing more than a courtesy to your users.
as an example of how easy it is:
import urllib2
variables = {'variable1': value1, 'variable2': value2}
urllib2.urlopen('http://yoursite.com/index.php/yourform', variables)
# your form has now been spoofed.
Adding headers and cookie management to spoof any user agent is just as trivial
ALWAYS validate on the server side. javascript validation is nice to have, but could be bypassed easily.
an attacker can forge an HTTP POST request with malicious data to your form's URL, which will then enter your system unsanitized.
Just as everyone answered - never rely only on client side validation only. This is so easy to abuse, one doesn't even have to save your webpage to disk, he can use libcurl or any other HTTP library, or just play with Firebug ect.
Validation on the client side is very "user friendly" though. You can add Ajax validation to your forms, and still this just convenience and should rely on server side code.
I completely agree with everybody above - client side is mainly to benefit the person filling in the form. Server side is more to make sure you're not being targeted.
If you want a nice looking client side validation script, I've written one - free to download and use and very customisable. It'll even catch wrongly spelled email addresses and suggest a correct version. You can get it here if you're interested:
http://www.blackboxtechnology.co.uk/free-stuff/javascript-form-checker.php
Enjoy!