is it safe to use javascript to validate form?

eclipsevtb

is it safe to use javascript to validate forms? i can do this in php but would it be faster to use javascript?

etully

Users can turn JS off. And clever users can alter your JS.

It's perfectly safe to use JS to validate forms as a convenience to the user. But it's not safe to trust that data when it arrives at your PHP script.

Even if you use Ajax to validate the fields as the user enters them, the contents of those fields can be manipulated before they get to your PHP script.

If this is a small site that gets a handful of visitors each day, you might not have any users who are clever enough to beat your JS validation. But that's no reason to take a short cut. You should get in the habit of re-validating the data when it gets to PHP so that when you get hired to write a huge site for MTV.com with millions of visitors, you know the right way to do it so that hackers can't sneak bad data past your JS validator.

Onurphp

you can use javascript for validate forms , but you have to control datas in your PHP script.

if you want to more information about PHP and Security you can look http://phpsec.org/projects/guide/ this project.

pkak_il

eclipsevtb wrote:
is it safe to use javascript to validate forms? i can do this in php but would it be faster to use javascript?

Java script arguments are being checked at the client side. As a result, the user can download the script and modify it. In contradiction, the php arguments are translated at the server side, where a user has no access.

Good luck.

Bobulous

No, Javascript is no protection whatsoever.

A junk mailer will find a mailform (or other web form) and simply submit POST requests to the PHP script directly. The page that contains the form HTML and the Javascript won't even need to be requested each time, let alone be 'executed'.

The only way to make form submissions safe is to use your PHP code to very carefully screen every piece of data that has come from an external source, whether that external source is your own web form, a remote web page, or a remote file.

I got caught out by a junk mailer who found that my mailform had a gaping hole in it. See my page about how a PHP script can foolishly allow a mailform to be used to send spam:

Mailform abuse by header injection.

In short: Javascript is only useful to help guide users when they use your form; it is no defence at all against abuse of your script.

etully

This is a good example of why a thread should be marked "Resolved" when it's resolved. There are now Four identical responses to this question. Very curious. Nice to see that people REALLY want to help anyway. 🙂