Gary_Thornock at sento.com
Thu Feb 24 15:26:24 MST 2005
> -----Original Message-----
> From: Mac Newbold [mailto:mac at macnewbold.com]
> Sent: Thursday, February 24, 2005 14:06
> To: Benjamin Schmuhl; UPHPU List
> Today at 12:48pm, Benjamin Schmuhl said:
>> This is a problem we want to overcome. I don't want to use a
>> form before it can be submitted. Is there any way to have enter
>> validate the form? Do I have to put listener events on each form
> client side, it is not guaranteed in any way to be run. It is
> insecure. It can be faked, skipped, avoided, disabled, and any
> number of other undesirable things.
> However, because it can be [easily] bypassed, it is of absolutely
> no use for guaranteeing that the form submission meets certain
> criteria. The only place that can be done is on the server side,
> where the programmer has complete control over the data and the
> validation performed on it.
> like, but back it up with all the same (or better) validation on the
> server side.
able to determine quickly on the client side that some fields aren't
filled in, or that that credit card number won't pass a Mod-10 check.
But, in the end, you can never trust the data the client sends you,
*regardless of any client-side validation*, until you've validated it
*again* on the server.
More information about the UPHPU