[UPHPU] RE: Javascript form validation [was Re: Posting a form]

Mac Newbold mac at macnewbold.com
Thu Feb 24 14:06:13 MST 2005


Today at 12:48pm, Benjamin Schmuhl said:

> This is a problem we want to overcome.  I don't want to use a submit
> button because I want to use javascript to validate the form before it
> can be submitted.  Is there any way to have enter validate the form?  Do
> I have to put listener events on each form element?

I don't want my reply to be taken in the wrong way by anyone, so know 
right now that I mean this in the nicest and most helpful way.

Javascript form validation is a pet peeve of mine. Because it is client 
side, it is not guaranteed in any way to be run. It is insecure. It can be 
faked, skipped, avoided, disabled, and any number of other undesirable 
things. Search engines don't run any of it either, though that doesn't 
have much to do with form validation in particular. People can even make a 
form like yours, but without the javascript, and submit _that_ instead of 
your form.

Before I go further, let me say that client side validation (and other 
client-side functionality) has its place. In many cases, it can make the 
user experience better by providing faster response than submitting the 
form to the server, and it can do things that the programmer thinks 
are helpful, like updating other fields as values are selected or entered.

However, because it can be [easily] bypassed, it is of absolutely no use 
for guaranteeing that the form submission meets certain criteria. The only 
place that can be done is on the server side, where the programmer has 
complete control over the data and the validation performed on it.

I've seen horrific things in this regard. One in particular that makes me 
cringe is when I saw a site that used Javascript to calculate the amount a 
credit card would be charged, and the server side blindly accepted 
whatever the javascript told it, and billed the card that amount, and 
considered the bill paid in full. Another javascript abuse I saw used 
a form that did not have a valid action, so the form didn't have anywhere 
to submit to, and by means of javascript, validated things and proceeded 
to (incorrectly) fashion a GET string, then set the page's location to 
that string. I've seen others that do a pretty good job in the javascript 
of validating things, but when the page was submitted, did absolutely no 
validation on the server side. To make matters worse, I saw all three 
things on the same site, one that I did not write, but which I was hired 
to debug, repair, and complete. I've seen most of those things in plenty 
of other places too, at least the client side mistakes.

Another thing to keep in mind is that if your site will not work with 
javascript disabled, you are closing out a significant portion of your 
potential users. And I'm not just talking about the wierdos (like 
bigdog_ut ;) ) who use Lynx for normal browsing. In the worst case, you're 
locking Google, Yahoo, MSN, and the other search engines out of your site. 
(If that doesn't matter to you, it probably should.)

Every site should be functional and usable (at least) without javascript. 
If it has more bells and whistles with javascript, fine. But it should 
still work without it.

A statistic I found recently stated that a significant (10%-20%) number of 
users have javascript completely or partially disabled in their web 
browsers. And no, that isn't one of the 93.61% of statistics that get made 
up on the spot.

Sorry for the rant/diatribe/flame as it may be percieved. I'm just going 
about trying to help people not to make the same mistake that so many 
people have already made (and in many cases, are still making).

So _please_ don't depend on javascript for validation. Use it if you like, 
but back it up with all the same (or better) validation on the server 
side.

Thanks,
Mac

/me thinks he's going to turn this into an article on the uphpu.org web 
site, too...

--
Mac Newbold		MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com	http://www.macnewbold.com/



More information about the UPHPU mailing list