SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot xPox's Avatar
    Join Date
    Sep 2005
    Posts
    124
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    form verification

    Are there any security reasons to not using Javascript to verify submitted forms? Would browsers with Javascript disabled just bypass the javascript verification, and then the form will always be submitted? How does this work?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Javascript validation of forms is done to help the people filling out the form by giving them immediate feedback on any mistakes that they have made. The Javascript has absolutely nothing to do with security, all validation for security purposes MUST be done on the server. The Javascript obviously can't run if it is disabled or the browser doesn't support it so in that case there is no validation done before the form is submitted. There are alsoways that someone could tamper with your page to bypass the Javascipt validation without disabling Javascript.

    There are two ways to do the submit button (as shown by the following two greatly abbreviated example forms).

    1. Allow the form to be submitted even without Javascript validation:
    Code:
    <form onsubmit="return validate(this)">
    <input type="submit">
    </form>
    2. Don't allow those without Javascript to submit the form at all:
    Code:
    <form name="myform">
    <input type="button" onclick="if (validate(myform)) myform.submit();">
    </form>
    Using the second of these will stop approximately 10% of your visitors (including many disabled people) from being able to submit your form. Using the first version will mean that approximately 10% of the legitimate forms you receive will not have been validated prior to submission.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Zealot xPox's Avatar
    Join Date
    Sep 2005
    Posts
    124
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Question 1: I tried this method but it submits the form whether true or false is returned. Why?

    Question 2: If javascript is disabled, how can option 2 check whether or not "if validate(myform)" returns true or false?

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    I don't know why 1 is ignoring the value returned unless you have made a typo in the coding or have Javascript disabled.

    Option 2 does nothing at all when Javascript is disabled and therefore never submits the form in that situation regardless of what the form contains.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    &#083;itePoint Aficionado JVLB's Avatar
    Join Date
    Jan 2002
    Location
    N 44 56.537' W 123 3.683'
    Posts
    1,127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by xPox
    Question 1: I tried this method but it submits the form whether true or false is returned. Why?
    Note that both your function must return false to the onsubmit handler and the onsubmit code must look like: onsubmit="return validationFunction();" for the handler to pass the false value to the submit method and for the submission to be cancelled.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •