0

I want to validate the data that the user enters in a form. I have only a username and two fields for the password. My first question is that I check the data with javascript and it works fine, but i want to check the data with php too incase javascript is not working. In case the javascript is not working the data will be checked from the php code, but my problem is that if javascript is working then the data will be checked from javascript and php too. Is this fine? Is there any way to avoid checking with php when the input data are checked by javascript? Also I am checking the inputs(username and password) for the number of characters, for characters(i don't permit special characters, only "_", "." numbers and letters in order to avoid sql injection) - how does it sound to you? Do you have any other suggestion for better validation?

Thank you in advance.

Improve this question
1
  • 2
    You should always check on the php side because javascript isn't secure. Commented Apr 17, 2012 at 21:36

5 Answers 5

Reset to default
2

You should always do a serverside(php) validation of userinput. a clientside(javascript) validation is only good for a better user-experience. Also you should not restrict the input to some characters for mysql injection prevention, there are other reliable methods for this.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you for your answer! :) I am using this function mysql_real_escape_string() for sql injection. But it wouldn't be better to restrict some of the characters in the inputs? I think a password with numbers, letters and "_" , "." and maybe some more special characters could be safe enough.
mysql_real_escape_string() is a good start to prevent mysql injection, no need to restrict user input. but well there are always peopl out there who can also bypass that, but for the beginning it should last.
I want to restrict the user input because of what you said. Maybe it is not enough if i only use the mysql_real_escape_string() function. It would be good if i had one more solution that prevents the sql injection, that's why i decided to restrict the input.
2

Yes, you should validate both client-side (JS) and server-side (PHP).

Do so on the client for convenience for your user and for a better user experience.

Do so on the server to prevent a malicious attack, or, as you stated, in case your user has JS disabled.

Improve this answer

Comments

2

You should always perform server side validation. There is no guarantee that client-side validation (such as javascript validation) cannot be defeated. It's a simple exercise to grab a debugging tool (any many are built into browser nowadays) and circumvent javascript validation.

Typically there is nothing wrong and is even recommended to do validation in both places in Javascript and PHP.

Improve this answer

Comments

1

Checking both ways is fine and definitely recommended. If you wanted to avoid checking with PHP if Javascript is enabled, you could append a hidden field to the form and check for this with PHP.

E.G.

if(!isset($_POST['js_hidden_field'])) {

    // Run Validation 

}

So you check for the hidden field, if it's not set then run the PHP Validation

Improve this answer

1 Comment

As it is recommended I will do the checking in both of them(as you all suggest)but thank you for this solution. :)
1

This is actually good, you can never do too much validation in my opinion. Client side scripting can be manipulated by anyone with web development experience but server side scripting cannot.

client side scripting validation pros:

  • Alerts the user before submitting data allowing them to correct themselves
  • Makes your site look a little more sophisticated

server side validation pros:

  • no one can change any validation rules you have
  • they cannot turn off server side validation.

In short, doing both is good, it's actually better than just doing one or the other.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.