simpli Posted March 12, 2009 Share Posted March 12, 2009 Hi, I have an application where I want to do some client side validation but in the case javascript is not installed I want to do a server side validation. I don't want the server side validation to run if the client side validation ran. I was thinking of setting a variable that javascript can set to true when the validation ran and was successful. I'd like php to test that same variable to decide whether to run the server side validation. Can you tell me what is the best way to go about doing this? Thank you kindly, all help is appreciated. J-R Quote Link to comment https://forums.phpfreaks.com/topic/149052-solved-client-side-validation-flag-sharing-with-php/ Share on other sites More sharing options...
PFMaBiSmAd Posted March 12, 2009 Share Posted March 12, 2009 You must ALWAYS validate external data once it reaches the server. Quote Link to comment https://forums.phpfreaks.com/topic/149052-solved-client-side-validation-flag-sharing-with-php/#findComment-782680 Share on other sites More sharing options...
.josh Posted March 12, 2009 Share Posted March 12, 2009 okay so what's to stop someone from opening up your output in an editor (or even right there live on your page, with widely available and used puglins), putting invalid data into your fields, stripping out the js validation, and sending along your thumbs up boolean to php? php then happily does whatever it does with the data, expecting it to be sanitized, and next thing you know, your database is dumped and going to www.yoursite.com yields a "J00 G0T PWND BY L337 H4XX0RZ !1!!!!!1111!!!!!!ONE!!11!1!!". If you're lucky, that's all someone will do. Quote Link to comment https://forums.phpfreaks.com/topic/149052-solved-client-side-validation-flag-sharing-with-php/#findComment-782732 Share on other sites More sharing options...
simpli Posted March 12, 2009 Author Share Posted March 12, 2009 OK so if I understand correctly I must always do server side validation. Then what use is client side validation. Secondly and that most important you guys have told me what NOT to do but could you tell me what I should do to do this properly? Thank you. J-R Quote Link to comment https://forums.phpfreaks.com/topic/149052-solved-client-side-validation-flag-sharing-with-php/#findComment-782796 Share on other sites More sharing options...
.josh Posted March 12, 2009 Share Posted March 12, 2009 You can still use javascript validation to do a more "live,interactive" validation, like only allowing numbers to be pressed for phone number or zipcode fields, popups saying blahblah isn't right, whatever. But you need to also validate everything server-side, no matter what, so that if the user doesn't have javascript turned on, or turns it off on purpose, or tampers with the coding to get around it, it's still being validated in a place the user can't mess with. You would server-side validate it 100% of the time, no matter what. Just think of javascript validation as a way to reduce requests to your server. Most people aren't out to get you, so you can use javascript to validate their stuff and not have request after request sent to your server before they fill out the form right. If this is on a closed network and you know everybody who will access it and trust them, then by all means, stick with javascript validation if you want. Quote Link to comment https://forums.phpfreaks.com/topic/149052-solved-client-side-validation-flag-sharing-with-php/#findComment-782889 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.