[UPHPU] RE: Javascript form validation [was Re: Posting a form]
Steve Dibb
steve at wonkabar.org
Thu Feb 24 14:27:26 MST 2005
Mac Newbold wrote:
> Javascript form validation is a pet peeve of mine. Because it is client
> side, it is not guaranteed in any way to be run. It is insecure. It can
> be faked, skipped, avoided, disabled, and any number of other
> undesirable things.
<snip>
> However, because it can be [easily] bypassed, it is of absolutely no use
> for guaranteeing that the form submission meets certain criteria. The
> only place that can be done is on the server side, where the programmer
> has complete control over the data and the validation performed on it.
Amen, brother! For once, I actually agree with Mac (death to
reply-to-list, punk!). ;)
What I do is utilize a class that does all my server-side checking, with
functions for each type of input. Most of them are just regular
expressions with varying degrees of stripping out characters --
fmtNumber will strip all non-numerics, fmtAddress strips all
non-alphanumerics, plus periods and commas, etc.
Ideally, I think it would be good to have both client-side and
server-side checking. Client-side would at least save you from stuff
like they didn't fill in their name or whatever, and so it doesn't have
to reload the page one more time if they do miss it. But it's good to
check it in both places if you really want to insure that what they're
putting in those input fields is really what you want going into your
database.
Steve
More information about the UPHPU
mailing list