I am done with validation using javascript for a form in PHP.
When is there any need for PHP validation?
javascript validation in itself ensures that all the fields are filled up. Is there a possibility to check the valid format of the inputs using javascript?
Yes
Client Side (Javascript) validation is only to help innocent users find out any errors in their forms without the need for a trip to the server and page reload.
Server side (PHP) validation is needed to prevent malicious users from submitting malformed queries to your server and gain access to your data.
Please note that client side validation only works on the forms you make. A malicious user can make her own form and submit to your server quite easily - thus completely bypassing your client side validation.
Conclusion: You need both forms of data validation.
Validation with javascript is great for useability, but without server side validation you leave yourself open to malicious input and bad data.
Javascript ensure the validation client-side but:
could be disabled
form can be submitted to your server by a "bad guy" from a custom page
so both are required IMHO
In general, a user has control over what data is submitted to a form handler, so you need to validate and sanitize it before it's safe. She might not even use a browser.
Yes, if JavaScript is disabled in client broser then server side validation is necessary.
telnet yoursite.com 80
GET /yourapp.php?name=');drop%20table%20users;-- HTTP/1.1
Host: yoursite.com
Bad things happen when you don't do server side sanitation.
Slightly less important than preventing your site from getting owned by anyone with a little bit of knowledge, not everyone will have javascript turned on, so you want to provide worthwhile error messages for them as well (not to mention, avoiding running with bad data, creating users with empty email addresses or names, as a non-malicious example).
But what is the purpose of using the both validations at the same time? Because it's extra burden for the server for validating the form inputs in php if javascript validation is successful. Can not we use a flag and set or unset it's value depending upon whether javascript validation is successful or not? And if the flag value set we will skip the php validation. Is not it possible? If it's not possible can you explain with a valid real life example? Or can a user modify the value of the flag even if we pass it in header? Waiting for some logical answers. Thank you.
Related
I'm new to web development and I don't know whether it's better to check that user filled out all the fields in a form by using "required" or to check it later using php with empty() and then return user to the front page. What are the upsides and downsides of each method?
I tried both of them and the only difference I could think of is the "Please fill out this field" box when using the html way.
Setting required in html tells users that a field is required and prevents someone from accidentally submitting a form with an empty field. However, people can still send the form with a missing field manually, by creating a request outside of a browser. The PHP should be able to handle that, though it can be as simple as returning an error.
In general, you should use client-side validation like required to tell users what to do, and server-side validation to prevent unintended behavior by bypassing the client.
The bottom line here is that your server-side code cannot cannot trust anything it receives from the client-side.
A web application receiving a HTTP request has no way of knowing whether that request came through a user-interface where some validation was applied to the data before sending, or if someone modified that user interface to remove some checks (which is easy in a browser if you have a little knowledge of the Developer Tools), or if (for example) it came from some sort of bot firing requests directly at your server, or if someone simply opened up PostMan and made the HTTP request by hand.
Therefore, in terms of security and validation, you must implement server-side validation and security procedures if you want to ensure the security and validity of your application and its data.
Client-side validation is great for improving the user experience and performance of your application (so that the user doesn't have to wait for a round-trip to the server before they get feedback on the validity of data they are trying to submit), but since it easily can be bypassed or disabled you cannot rely on that alone to protect your application.
Those are both necessary for making a secure and robust app. That is front-end and back-end validation.
The front-end validation makes it so the user cannot accidentally fill unwanted data into the fields shown. That ensures that users are using the app as intended.
The back-end validation makes sure that the values that are coming in are always values that are expected. What makes this different is that people can bypass front-end validation quite easily, and thus they will abuse this by inserting bad data in your app which can break your whole app completely.
It is necessary to check the validity of the data received from the user on the server, so you must set conditions for it on the server so that invalid data does not enter the database.
Also, to improve the user experience, it is better to have controls in html in addition to the server, this will even make the server not always check and reject the wrong request, so use both of them together.
This question already has an answer here:
Is my JavaScript validating enough?
(1 answer)
Closed 9 years ago.
So up to now i got my client side validation ready, But what if javascript disabled?...
I was thinking what can be the best method to make sure the data i get is valid:
For start i can also test the data on the server side but than what is the point with all the javascript validation.
HTML 5 got some validation features but limited browser support.
I was thinking about something with Ajax but can't put my finger for ajax solution yet.
So i will be very thankful to get some suggestions for solution when javascript off.
Never trust user input.
Never trust user input.
Never trust user input.
Never trust javascript validation, which can be tampered with very easily since it executes on the browser. Consider it is part of the user input.
Never trust user input.
Server-side validation is always mandatory, whether there is javascript validation or not. Other than that, Ajax is just a funky name for dynamic javascript calls to URL's. No Javascript, no Ajax.
There is nothing else I can think of, besides HTML5 validation (which must not be relied upon either, as it can be circumvented as easily as Javascript validation).
Even if JavaScript is turned on, it's still perfectly possible to manipulate a form to post information that you might not be expecting on the server-side. Server-side validation is always needed for data storage and manipulation.
Yes, you should always have BOTH validation client side (javascript) and server side (business object in your language of choice).
You absolutely cannot trust all users to use/leave client side alone.
Client side validation is to help the user stay sane so they are not posting-erring, try again, post-erring, try again. And you cut traffic to your server/objects as well. Everyone likes that.
But you NEED to have your server side do a final validation if you are serious about validation. If you ever can only pick one or the other (and if a client has js disabled...) you pick server side.
If you want a slight lessening of what seems like redundant validation, have your form ajax post/call to a validator that calls your BUSINESS LOGIC rules on the server but then when the final post occurs, it needs to run through the BUSINESS LOGIC rules again before you commit.
Please remember this mantra:
JavaScript validation is good for the user, but Server validation is good for security.
And this one too:
User data is always evil.
In other words, always perform server validation, because at the end of the day you are dealing with user data that may have been tampered with.
I want to validate the data that the user enters in a form. I have only a username and two fields for the password. My first question is that I check the data with javascript and it works fine, but i want to check the data with php too incase javascript is not working. In case the javascript is not working the data will be checked from the php code, but my problem is that if javascript is working then the data will be checked from javascript and php too. Is this fine? Is there any way to avoid checking with php when the input data are checked by javascript? Also I am checking the inputs(username and password) for the number of characters, for characters(i don't permit special characters, only "_", "." numbers and letters in order to avoid sql injection) - how does it sound to you? Do you have any other suggestion for better validation?
Thank you in advance.
You should always do a serverside(php) validation of userinput. a clientside(javascript) validation is only good for a better user-experience. Also you should not restrict the input to some characters for mysql injection prevention, there are other reliable methods for this.
Yes, you should validate both client-side (JS) and server-side (PHP).
Do so on the client for convenience for your user and for a better user experience.
Do so on the server to prevent a malicious attack, or, as you stated, in case your user has JS disabled.
You should always perform server side validation. There is no guarantee that client-side validation (such as javascript validation) cannot be defeated. It's a simple exercise to grab a debugging tool (any many are built into browser nowadays) and circumvent javascript validation.
Typically there is nothing wrong and is even recommended to do validation in both places in Javascript and PHP.
Checking both ways is fine and definitely recommended. If you wanted to avoid checking with PHP if Javascript is enabled, you could append a hidden field to the form and check for this with PHP.
E.G.
if(!isset($_POST['js_hidden_field'])) {
// Run Validation
}
So you check for the hidden field, if it's not set then run the PHP Validation
This is actually good, you can never do too much validation in my opinion. Client side scripting can be manipulated by anyone with web development experience but server side scripting cannot.
client side scripting validation pros:
Alerts the user before submitting data allowing them to correct themselves
Makes your site look a little more sophisticated
server side validation pros:
no one can change any validation rules you have
they cannot turn off server side validation.
In short, doing both is good, it's actually better than just doing one or the other.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Why is client-side validation not enough?
What is the purpose of using the both validations at the same time? Because it's extra burden on the server for validating the form inputs in php if javascript validation is successful. Can not we use a flag and set or unset its value depending upon whether javascript validation is successful or not? And if the flag value is set, we will skip the php validation. Is it not possible? If it's not possible can you explain with a valid real life example? Or can a user modify the value of the flag even if we pass it in header?
Waiting for some logical answers.
Thank you.
Validating with JavaScript saves you a trip to the server, and creates a nice responsive user experience.
Validating with PHP is necessary so you don't get broken data, or worse (the user could disable JavaScript or post data to your PHP application in a number of ways).
JavaScript can be disabled by the user. It can also be manipulated because it is client side.
One thing to always keep in mind, never trust the users input. Even if you trust the users, or if the website is limited to a very small known to you audience.
So always keep server side validation.
Client side validation is for usability, so I would recommend you keep that too.
The purpose quite simply is the safety.
Javascript validation is happening on the client side - in the users browser. There are no problems to disable or edit the validation to my liking by using a tool like firebug, for example, or to disable it at all by disabling javascript in my browser.
PHP validation, on the other hand, is done on the server side and the user can't interfere with that.
To sum it up, and how I like to think about it - Javascript validation is for the ease of use for the client, PHP is for actual safety.
You can never trust user input. JavaScript is a utility for improving user experience, not your first line of defense against malicious user behavior. JavaScript itself can be used to bypass all JavaScript validations; all someone has to do is type this command in console:
document.forms[0].submit();
Now I am not sure what is with the idea of using flags. But it just as easy for someone to "set" the flag manually if he/she can JavaScript validation.
And if you think server side validation causes burden on the server, you're being ignorant (or lazy, perhaps).
Client side validation is primarily for user-experience and basic-validation.
While writing server side code, you should write validation to ensure security and to make sure the requests are not tampered in between.
As you might know, browsers allow the user to disable javascript. In such a case, client side validation code will not be executed. If there is no server side validation, this will create inconsistency in your application.
For example, if there is an input text field for which you application is expecting an integer value and the user inputs a non-integer value, your application is bound to misbehave and if you are using a database, it will throw some error
To strengthen a point the other answers may have implicated: Not only is it possible to bypass JavaScript in a browser, but it is possible to send data to your server without even visiting your website, if an attacker analyses the requests send to and from your website.
This can be done either by a tool that manipulates the GET / POST requests (thus even using a valid session) or a tool that builds its own requests.
JavaScript validation is to help your regular users to enter well formed data, server-side validation protects your server / your data integrity
I was wondering if it is really necessary to validate in both JS and PHP?
I have my submit button with JS document.myform.submit()sending with PHP POST to the same page.
If a user disables JS he can not send the form anyway.
So I wanted to ask about security, can someone send the variables in another way bypassing the javascript? How would they do this?
And if they can, the answer if I should validate in PHP as well would be YES, right?
The answer is simple.
Server-side is obligatory and must be done unconditionally.
Client-side validation is optional, just for user's convenience.
Thus, validating on both sides isn't necessary but preferred for sake of usability
If a user disables JS he can not send the form anyway.
lol. user can save your form on their local disk and edit it in a way they want.
yes, someone can send the variables using urllib2 in python for instance. This is very easy to do. If you are only going to do one set of validations, do it server side. doing it client side is nothing more than a courtesy to your users.
as an example of how easy it is:
import urllib2
variables = {'variable1': value1, 'variable2': value2}
urllib2.urlopen('http://yoursite.com/index.php/yourform', variables)
# your form has now been spoofed.
Adding headers and cookie management to spoof any user agent is just as trivial
ALWAYS validate on the server side. javascript validation is nice to have, but could be bypassed easily.
an attacker can forge an HTTP POST request with malicious data to your form's URL, which will then enter your system unsanitized.
Just as everyone answered - never rely only on client side validation only. This is so easy to abuse, one doesn't even have to save your webpage to disk, he can use libcurl or any other HTTP library, or just play with Firebug ect.
Validation on the client side is very "user friendly" though. You can add Ajax validation to your forms, and still this just convenience and should rely on server side code.
I completely agree with everybody above - client side is mainly to benefit the person filling in the form. Server side is more to make sure you're not being targeted.
If you want a nice looking client side validation script, I've written one - free to download and use and very customisable. It'll even catch wrongly spelled email addresses and suggest a correct version. You can get it here if you're interested:
http://www.blackboxtechnology.co.uk/free-stuff/javascript-form-checker.php
Enjoy!