Jump to content

Recommended Posts

Well first obvioulsy AJAX is async js + php usually.

 

I had the wise idea of validating login and signup forms through AJAX which works great and i can have any errors displayed without doing a form reload, i then realised i don't need AJAX but can just use plain js with an onclick and innerthtml again without having to reload the page if say a form field is invalid like a blank field, i can then display, "please enter your email etc".

 

But after having looking at quite a lot of source code i don't see this method of validating any more it must all be AJAX or having the php scirpt validate and hence rhaving to reload the page.

 

Would you use AJAX, js or php for this?

I use javascript/php  (php is a MUST) as javascript/ajax are clientside based and thus can be avoided.

Some things you can't do (sensibly) with javascript only so ajax comes in handy.. for example if you want to check a valid user, you can check the format with javascript just fine.. but seeing if it was already used, that's another story.

 

Of course you could make an array with all membernames, but what if someone else signs up with the desired username while the other is still filling in the form.. and you don't want several thousands of usernames to be downloaded either.. so that's when ajax comes in ;)

Guys your right i am talking nonsense here as i still have to POST anyway and check the db via php(in mycase).

 

So you say always check server side, so are there secuirty problems or whatever if i do use AJAX, now that i have a nice working generic AJAX setup i can pretty much use it for all communication to php.

 

 

If you use ajax all security out the window as soon the user presses "Disable javascript" or is using a browser that doesn't support it in the first place.

 

Step #1)

Implement serverside validation

Step #2 (optional))

Provide local validation using javascript and/or ajax.

If you use ajax all security out the window as soon the user presses "Disable javascript" or is using a browser that doesn't support it in the first place.

 

Step #1)

Implement serverside validation

Step #2 (optional))

Provide local validation using javascript and/or ajax.

 

Why does security go out the window if i they disabled js, youtube uses js/ajax and if you disalbe js in FF they you can't view youtube videos or can't browse through the comments as the comment are fetched through use ajax.

 

So they don't have a backup, basically the worlds most popular site, either enable js or don't use it, i don't see why i should have a problem using ajax??

Want to bet that if you code your own form and set the target of the form to youtubes receiving page it will still check the data it receives?

And that's too extreme for my tastes "Have javascript enabled or you're not getting anything!", what about blind people using a screenreader, think it supports javascript?

 

If you don't see the problem, then try it your way and make a post in the forum with something like "Try to hack my site", I'm sure you'll see why server-side validation is important.

Ajax doesn't do anything special that makes it a an ajax hack.

Just do the normal htmlspecialchars() mysql_real_escape()/prepared statements etc.

 

Just stick to the golden rule NEVER trust client side information, if it isn't coming from your own code then consider it harmful by default.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.