PHP and client-side control security

mrfree

I made some data verify on my html form client side (using javascript) then the correct data being sends to php script.

But, if a user copy the html page on his webserver and modify my javascript controls, he can submit incorrect data to my php script!!!

There is some method to avoid this???

Thz, in advace.

planetsim

Never rely on Javascript of any form of Client Side Validation it shouldnt be trusted as its the client.

You need to put some sort of validation so e.g.

Empty Fields,
Invalid Entries e.g. Alpha characters in a numeric field

SQL Injections, XSS Security precautions. There are many things you can do

emty() for empty fields etc. Id suggest taking a look at the String Functions in the PHP Manual [man]Strings[/man]

Weedpacket

As you've realised, you can never trust anything coming from the client. You certainly can't rely on Javascript-based form validation. It's entirely laudable from a users' convenience point of view - it saves them time and saves you server load - but that's all. So even if you do use client-side validation, you have to do it on the server as well.

A good principle here is to be paranoid: instead of trying to identify invalid output and rejecting it (because sooner or later someone somewhere will think of something you didn't), reject everything that doesn't satisfy whatever criteria you come up with.