tags:

views:

88

answers:

5
Q: 

Form validation with PHP and Javascript security

I was wondering if it is really necessary to validate in both JS and PHP? I have my submit button with JS document.myform.submit()sending with PHP POST to the same page.  If a user disables JS he can not send the form anyway. So I wanted to ask about security, can someone send the variables in another way bypassing the javascript? How would they do this? And if they can, the answer if I should validate in PHP as well would be YES, right?

+1  A: 

yes, someone can send the variables using urllib2 in python for instance. This is very easy to do. If you are only going to do one set of validations, do it server side. doing it client side is nothing more than a courtesy to your users.

as an example of how easy it is:

import urllib2

variables = {'variable1': value1, 'variable2': value2}
urllib2.urlopen('http://yoursite.com/index.php/yourform', variables)
# your form has now been spoofed.

Adding headers and cookie management to spoof any user agent is just as trivial

aaronasterling  2010-08-09 07:39:41
A: 

ALWAYS validate on the server side. javascript validation is nice to have, but could be bypassed easily. an attacker can forge an HTTP POST request with malicious data to your form's URL, which will then enter your system unsanitized.

ozk  2010-08-09 07:42:00
+3  A: 

The answer is simple.
Server-side is obligatory and must be done unconditionally.

Client-side validation is optional, just for user's convenience.

Thus, validating on both sides isn't necessary but preferred for sake of usability

If a user disables JS he can not send the form anyway.

lol. user can save your form on their local disk and edit it in a way they want.

Col. Shrapnel  2010-08-09 07:42:57
A: 

Just as everyone answered - never rely only on client side validation only. This is so easy to abuse, one doesn't even have to save your webpage to disk, he can use libcurl or any other HTTP library, or just play with Firebug ect.

Validation on the client side is very "user friendly" though. You can add Ajax validation to your forms, and still this just convenience and should rely on server side code.

c64ification  2010-08-09 07:50:26
A: 

I completely agree with everybody above - client side is mainly to benefit the person filling in the form. Server side is more to make sure you're not being targeted.

If you want a nice looking client side validation script, I've written one - free to download and use and very customisable. It'll even catch wrongly spelled email addresses and suggest a correct version. You can get it here if you're interested:

http://www.blackboxtechnology.co.uk/free-stuff/javascript-form-checker.php

Enjoy!

ollybbox  2010-08-10 15:56:01

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases