Is JavaScript enabled ?

Stinger51

I know there is a way in PHP to detect this.

I want to build a two-tiered validation process. The first tier will use JScripting for client side validation (the most efficient way).

The second tier, if JS is disabled, will use PHP and server side validation.

So what's the magic code for detecting whether the user has JS enabled / disabled ? It's got to be server side code, otherwise you can't run any JSscripts (if they've disabled JS) to detect if JS is disabled 😃

TNX in advance.

dannys

No, PHP can't tell if JS is supported.

If you hackup a JS form variable, and get PHP to detect that - it might work, but I couldn't tell you how to do that, off hand.

undertow

Pass $_SERVER["HTTP_USER_AGENT"] to get_browser(). There is a value returned for JavaScript support. Presumably this is not 100% surefire but it looks pretty good.

dannys

That just tells you if the browser is capable of supporting JS - it won't tell you if the client currently has it disabled.

Stinger51

That makes sense. I thought some environment (global) variable would tell me this, and more. So there is no HTTP variable that will tell me whether they have JS turned on? Again, that makes sense for security reasons.

I've even thought of posting this question over on a JS forum. But that makes even less sense, now that I think about it. If JS is turned off, then how would it even run the script ?!

Still, you would think (the way advertisers are checking us all out these days) that you could send someone a cookie and grab this JS status from their machine. Don't want to sound like a hacker here, but aren't we all at heart? :eek:

undertow

All of the JavaScript on my site would be used based on whether the user said they wanted to use JS when they sign in. This way the page could be tailored depending on their choice. This isn't the most efficient thing to do (because you have to somehow emulate the JS, if that's even possible, with HTML or something server-side). It is also not secure if having JavaScript is required by some important mechanism of your site (because the person could say it's on but it really isn't).

In that case, I don't know of any magic.

Weedpacket

One thing you could do is have an onload= handler that sets a hidden form field which is checked by the validation script. If the field is set when the form arrives, then (allegedly) Javascript is enabled (otherwie the onload handler wouldn't have fired). I say "allegedly" because there's nothing stopping the user from filling the field in by hand.

Ultimately, though, why bother checking? Apply the concept of "defence in depth" and do the validation on the client and on the server as a backup. It would probably be easier and certainly less error-prone than testing for Javascript enabling.

If there are validation tests that can only be done on the server (checking values against entries in a database, for example) then you would need a double-walled validation process anyway.

Stinger51

Per that hidden field, I see what you are saying. No JS enabled = no onload handler. But if the field is hidden, then how could they fill this in by hand? I don't follow you there.

I think ultimately that, yes, I should do both types of validation, as you say. I was thinking "either-or" instead of just doing both. If they have JS enabled, then that should catch any errors on the client. And, assuming everthing works properly, they will never see the server side PHP validation forms, as all input errors will have been corrected. If JS is not enabled, and they have input errors, then they WILL see my PHP validation forms.

The only downside I can see to this is that the extra PHP form will be in the loop no matter their configuration. IOW, even if there are no errors, the server must still send the form to the client for the validation check. And the idea is to put this burden on the client, not the server. But with CPU and modem speeds as fast as they are these days, does this even matter anymore? I suppose it does if you count hits against the server, however. What are your thoughts on that?

undertow

They could save the source of your PHP script's output (the HTML) and type in the hidden field in any text editor. Then, open the hacked page locally and it will be like the JavaScript code had been run.

I wouldn't worry too much about hits against the server. My server is a P100 with 64 MB of RAM and I've never had a problem. Then again, I've never been slashdotted so I wouldn't know.