[UPHPU] RE: Javascript form validation [was Re: Posting a form]

Gary Thornock Gary_Thornock at sento.com
Thu Feb 24 15:26:24 MST 2005


> -----Original Message-----
> From: Mac Newbold [mailto:mac at macnewbold.com] 
> Sent: Thursday, February 24, 2005 14:06
> To: Benjamin Schmuhl; UPHPU List
> Subject: [UPHPU] RE: Javascript form validation [was Re: Posting a
form]
> 
> Today at 12:48pm, Benjamin Schmuhl said:
>
>> This is a problem we want to overcome.  I don't want to use a
>> submit button because I want to use javascript to validate the
>> form before it can be submitted.  Is there any way to have enter
>> validate the form?  Do I have to put listener events on each form
>> element?
>
> Javascript form validation is a pet peeve of mine. Because it is
> client side, it is not guaranteed in any way to be run. It is
> insecure. It can be faked, skipped, avoided, disabled, and any
> number of other undesirable things.
>
> <snip>
>
> However, because it can be [easily] bypassed, it is of absolutely
> no use for guaranteeing that the form submission meets certain
> criteria. The only place that can be done is on the server side,
> where the programmer has complete control over the data and the
> validation performed on it.
>
> <snip>
>
> So _please_ don't depend on javascript for validation. Use it if you
> like, but back it up with all the same (or better) validation on the
> server side.

Amen!

Javascript validation has its place.  It's great, for instance, to be
able to determine quickly on the client side that some fields aren't
filled in, or that that credit card number won't pass a Mod-10 check.
But, in the end, you can never trust the data the client sends you,
*regardless of any client-side validation*, until you've validated it
*again* on the server.

- Gary




More information about the UPHPU mailing list