ansaurus

Question

Check to see if certain fields have been filled out before a form is submitted.

Answer 1

A:

You shouldn't be messing with back-end errors like this. Make sure you validate at client side with JavaScript. Not say ignore back end validations and or sanatization.

Babiker 2010-06-19 19:08:24

Answer 2

A:

If you are not going to allow the user to submit the form with empty fields then you are correct there is no point allowing these fields to be NULL in the database.

I would say that you should use Javascript to validate as a usability issue (it saves the user waiting for a page reload to discover they have not entered a required field). However this needs to be backed up by server side validation and appropriate error messages for users with javascript disabled.

Martin Smith 2010-06-19 19:08:47

Sounds good, I will just make a generic catch all error page that is there "just in case". If I am understanding correctly that page will in all likelihood never be seen by anyone. I would also like to add that this is for a small business and is only on there intranet, so I know they will have JavaScript since I maintain the server and their workstations.

typoknig 2010-06-19 19:14:16

Answer 3

+2 A:

My question is, should I check to see if fields are empty/null with JavaScript before the form is submitted, or should I let the user attempt to submit the form and then base my corrective action on what every MySQL error I get back?

Do both, check with javascript but checking with PHP is a must. Don't insert empty values if you want that.

Sarfraz 2010-06-19 19:10:27

Thanks for the link, the JavaScript there will help me to get my stuff right.

typoknig 2010-06-19 19:26:20

Answer 4

+1 A:

You should always do checks on the back-end, regardless of whether or not there are JavaScript checks. What if someone has JavaScript disabled? What if the user is malicious and uses something like Firebug to compromise your JavaScript validation and security? It's not only possible, it's very easy to do. Always check on the back end.

I would say do the check in PHP first - if any fields are empty, take them back to the form and make them fill it back out. After it works in PHP, add JavaScript validation to make the form more usable.

Hooray Im Helping 2010-06-19 19:13:00

Answer 5

+4 A:

You should validate on the client side before sending the data to the server. This would allow you to highlight errors to the user, potentially before they've submitted the data to the server.

But you should also validate on the server side. It's possible for someone to maliciously send invalid data to your server, bypassing the client-side validation.

Client-side validation is good for ensuring that the user gets some helpful feedback when they haven't filled in a form correctly. But relying only on that validation is insecure. Make sure the the server doesn't allow invalid data.

Also, if you ever allow the data to be accessed through some sort of API, you'll want server-side validation to prevent invalid data getting into the database.

Richard Fearn 2010-06-19 19:13:01

Thanks for the info. I will do some reading on the best form validation practices to make sure I get everything correct.

typoknig 2010-06-19 19:40:12

Answer 6

A:

Your database should always enforce your assumptions about the structure of the data. It costs you nothing to do, but it serves as a last line of defense against corruption of your database.

Never assume that a client side process is going to hand you well formed data. Your server side scripts should consider anything coming from a browser as having come out of the saddle bag of a dead Pony Express rider whose horse dragged him in from the frontier.

Check on both sides. Setting your db column NOT NULL costs you nothing. Javascript uses the client's resources, so it also costs you nothing, and it gives your user instant feedback without having to communicate with the server.

You can check that a field has data by checking that it's value attribute is not an empty string. Something like:

if (formElement.attachEvent) { //handle IE
    formElement.attachEvent('onsubmit', function() {
        if (window.event.sourceElement.someFormElement.value === '') {
            // outline empty form in red or otherwise alert user of bad input
            return false;
        } else {
            // check other fields that can't be empty
        }
    }
} else {
    formElement.addEventListener('submit', function() {
        if (this.someFormElement.value === '') {
            // outline empty form in red or otherwise alert user of bad input
            return false;
        } else {
            // check other fields that can't be empty
        }
    }
}

Returning false from the even handler prevents the form from being submitted.

jasongetsdown 2010-06-19 19:33:51

Excellent! Thanks for the code too. I guess you are right about having extra defense in your database, it isn't going to hurt anything but it could save me a headache in the future.

typoknig 2010-06-19 19:45:48

Answer 7

A:

I'm a newcomer to SQL, so I've been reading up on ways to destroy and hack into DBs. Frightening! The bottom line, for me, is: always validate everything at your server BEFORE submitting any SQL query. Ref: http://www.securitydocs.com/library/3587

I also validate a lot of things via JS to maintain responsiveness, as many others have mentioned before.

A rule that I like a lot and try to follow: validate with a whitelist, the collection of things to allow. Don't validate with a blacklist, the things to disallow. Why? Because I really can't be sure the blacklist contains all things illegal. My carelessness and the constant pressure of hacker inventiveness ensure there will be hundreds or thousands of illegals.

It's much easier to be sure of the things that are allowable: there are relatively few of those guys.

Pete Wilson 2010-06-19 20:53:28

ansaurus

tags:

views:

answers:

Check to see if certain fields have been filled out before a form is submitted.

related questions