Validating forms thorugh js or AJAX or php

[rv20]

Well first obvioulsy AJAX is async js + php usually.

 

I had the wise idea of validating login and signup forms through AJAX which works great and i can have any errors displayed without doing a form reload, i then realised i don't need AJAX but can just use plain js with an onclick and innerthtml again without having to reload the page if say a form field is invalid like a blank field, i can then display, "please enter your email etc".

 

But after having looking at quite a lot of source code i don't see this method of validating any more it must all be AJAX or having the php scirpt validate and hence rhaving to reload the page.

 

Would you use AJAX, js or php for this?

[Axeia]

I use javascript/php  (php is a MUST) as javascript/ajax are clientside based and thus can be avoided.

Some things you can't do (sensibly) with javascript only so ajax comes in handy.. for example if you want to check a valid user, you can check the format with javascript just fine.. but seeing if it was already used, that's another story.

 

Of course you could make an array with all membernames, but what if someone else signs up with the desired username while the other is still filling in the form.. and you don't want several thousands of usernames to be downloaded either.. so that's when ajax comes in

[Maq]

You should always validate server-side, even if you use JS to validate.

 

Moving to Javascript section.

[rv20]

Guys your right i am talking nonsense here as i still have to POST anyway and check the db via php(in mycase).

 

So you say always check server side, so are there secuirty problems or whatever if i do use AJAX, now that i have a nice working generic AJAX setup i can pretty much use it for all communication to php.

 

 

[Axeia]

If you use ajax all security out the window as soon the user presses "Disable javascript" or is using a browser that doesn't support it in the first place.

 

Step #1)

Implement serverside validation

Step #2 (optional))

Provide local validation using javascript and/or ajax.

[rv20]

If you use ajax all security out the window as soon the user presses "Disable javascript" or is using a browser that doesn't support it in the first place.

 

Step #1)

Implement serverside validation

Step #2 (optional))

Provide local validation using javascript and/or ajax.

 

Why does security go out the window if i they disabled js, youtube uses js/ajax and if you disalbe js in FF they you can't view youtube videos or can't browse through the comments as the comment are fetched through use ajax.

 

So they don't have a backup, basically the worlds most popular site, either enable js or don't use it, i don't see why i should have a problem using ajax??

[Axeia]

Want to bet that if you code your own form and set the target of the form to youtubes receiving page it will still check the data it receives?

And that's too extreme for my tastes "Have javascript enabled or you're not getting anything!", what about blind people using a screenreader, think it supports javascript?

 

If you don't see the problem, then try it your way and make a post in the forum with something like "Try to hack my site", I'm sure you'll see why server-side validation is important.

[rv20]

Ok i am all for hack prevention can you outline some hacks (i take it we are taklking about ajax hacks) or link me up to a site detailing it..

[Axeia]

Ajax doesn't do anything special that makes it a an ajax hack.

Just do the normal htmlspecialchars() mysql_real_escape()/prepared statements etc.

 

Just stick to the golden rule NEVER trust client side information, if it isn't coming from your own code then consider it harmful by default.

[Ken2k7]

Axeia - mysql_real_escape_string

[Axeia]

But mine escaped calling the function!

(I have a strange habbit of forgetting to type down some words..)