tags:

views:

71

answers:

6
+1  Q: 

PHP - Server Side Validation - Is this a good method?

Hello all,

I have done extensive client-side validation through the help from jQuery. Now come to the server side validation, if I found some fields are not valid, can I simply return an error to client and without any useful message?

My assumption is that the user has to enable JavaScript in order to access my webpage. The user will not see the form if the web browser disabled the JavaScript. I can simply use noscript to do that. If they submit the information through the form I designed, there should be no invalid field submitted to server. Thus, if I found any invalid field in server side, then my form is corrupted by some hacker rather than some regular users.

Does my understanding make sense to you?

< The following message is appended based on comments from many experts here > I am sorry that I didn't mention my question clearly here. I always do server side validation b/c I should not trust any user input.

However, my point here is that whether or not I should pass the server side error message to the user. Since, if a user uses my form and submits the form to server PHP, there should never be an invalid field. If such thing happens, then I assume that some hackers are playing with my PHP. So I would like to ignore them.

The major reason why I try to avoid passing the server side error messages back to client is that I didn't find a better solution to do so. I have posted several related questions here without good suggestion or examples.

< --- END ---- >

Thank you

+1  A: 

Client side validation is only for users that actually use your site. Spam-bots, etc can easily omit it, so there always should be validation at the server site. When validation error is occurred a message should be sent back to user, that informs what is wrong.

Never use only client side validation. It can be only an extras.

Ventus  2010-08-06 20:22:51
I don't think the OP is trying to avoid server side validation, just sending a useful error message.
mcrumley  2010-08-06 20:27:53
Hello mcrumley,It seems that you are the only person that understands my original question.Thank you
q0987  2010-08-06 21:08:46
+1  A: 

Server validation is absolute must have for every web application because it's really easy to send fake headers. For example, you javascript do not allow to enter letters to the form, but I can simply send fake headers containing letters, digits etc.

Kirzilla  2010-08-06 20:24:03
Please see my updated question.thank you
q0987  2010-08-06 21:10:51
A: 

I always send a useful error message back. You will likely need a way for the server to report other error conditions anyway (database errors, etc.).

mcrumley  2010-08-06 20:25:23
May you give me some suggestion how to do it in a decent way?Thank you
q0987  2010-08-06 21:11:21
I don't know how your application is set up so I can't give a specific recommendation, but the simplest way is to throw an exception and catch it in a global exception handler. Then just put the error message in a basic template. I usually set the HTTP response code to "403 Forbidden" for input validation errors.
mcrumley  2010-08-06 21:56:35
+1  A: 

In your situation, it sounds like you can be fairly certain that valid users won't be hitting PHP validation errors. So you can respond with slacker error messages. You really ought to give some decent indication of what went wrong though. If you don't, you'll regret it one day when the javascript fails for some reason (like you changed it and didn't test well enough).

Scott Saunders  2010-08-06 20:27:02
+1 for the consideration for users.
Sean Vieira  2010-08-06 20:32:11
I didn't give you the -1, but someone gave it to you because if its in js then its trivial to bypass.
Rook  2010-08-06 20:42:35
I think the OP is writing server side validation, and that their question is about how good the error messages generated by the PHP need to be. My answer assumes that the PHP validation will be thorough, and addresses only how good the error messages need to be.
Scott Saunders  2010-08-06 20:45:03
Please see my updated question. thank you
q0987  2010-08-06 21:12:57
I believe I responded to your actual question: "can I simply return an error to client and without any useful message?" I'll rephrase my answer: Yes, but I think you should return an error message that describes the problem.
Scott Saunders  2010-08-07 01:49:58
+3  A: 

You should always always have server-side validation.

I would suggest you to have a look at:

The client side validation is always a good idea and you should go for it but server-side validation should be a must and good coding practice.

Sarfraz  2010-08-06 20:28:59
Hello Sarfraz,I think I didn't state my question clearly. I MUST do the server side validation for my application. However, I would like NOT do the interactive feedback with user if there is a server side error.Since, regular user who access the PHP through the dedicated form should never submit an invalid form.Thank you
q0987  2010-08-06 21:01:08
@q0987: If you think they will never submit invalid form then there is no question of it however you can never be 100% sure, you should use server-side validation this in your future projects where dumb/disable/bad guys can enter a lot of rubbish stuff in your forms.
Sarfraz  2010-08-06 21:08:35
+1  A: 

Validation of anything on the client is only useful to help your users catch mistakes like "oh, you didn't give us a Last Name, please go fill that in". Someone such as myself can simply send any request I desire what-so-ever to your server, be able to deal with it, or be ready to deal with a potentially corrupted database and a CD-Rom of your customer's CreditCard numbers floating around Estonia.

Having the server reply with the form depends on how your structure your code-- eg, if it's ajax or whatever. But reporting the problem is always nice to have.

 2010-08-06 20:35:30
Hello user257493,It is nice to have. But I would like to know some good techniques to do so. For client side, I use jQuery Validation Plugin and make the life much easier for me. But for the server side, I don't know a better solution that can pass the error messages to user in a decent way.thank you
q0987  2010-08-06 21:10:18
Like I said it depends on how you serve your pages, like are you just sending ajax data back and forth, are you going to .php pages? There's a bunch of ways. I know some MVC frameworks would deal with this sort of thing.
 2010-08-07 02:00:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases