SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Hybrid View

  1. #1
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Form validation for when JS is disabled Help required

    Hi all,
    Ive just realised that from somebody checking out my new portfolio website and managing to submit an empty contact form, the contact form has Javascript active, and will throw up an alert if the name category has not been completed on clicking the submit button. I completely forgot to consider the fact that when JS is disabled in the browser the form can still be submitted completely empty, so my question is the obvious one, how do I stop the form from getting sent if JS is also disabled ?

    my domain is BFdesigns | Freelance Website Designer | Bromsgrove Worcestershire should anyone wish to test it for themselves.


    Thanks all

    Ben

  2. #2
    SitePoint Member
    Join Date
    Feb 2010
    Location
    Arkansas, USA
    Posts
    22
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to run the validation in your php code as well. If it does not validate, let the user know just like you do with the redirect to the thanks page.

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Any form validation done using JavaScript is there only for the convenience of the person filling out the form so as to save them having to wait until they submit the form to find out they entered everything wrong.

    The real validation of the form always needs to be done on the server as if you don't validate the data when you first receive it on the server you have no way of telling what it contains (as it need not have even come from your form).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by benisjamin View Post
    how do I stop the form from getting sent if JS is also disabled ?
    Even if javascript is enabled, you still must do server side validation to protect your data and its integrity.

    Someone can easily just view the html source and get the url of the form processing script from the form's action attribute. They can then send whatever data they like to the form processing script, as a GET or POST, without even opening the page containing the html form.

    Bottom line: always do server side validation. Client side validation (javascript) is optional.

  5. #5
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi guys,
    Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )

    PHP Code:
    /*Redirects the user to the error page if JS is disabled and the form is submitted*/
    if(empty($firstname))
    {
    header('Location: error.html');
    exit();
    }else
    {
    /* Redirects the visitor to the thanks page */
    header('Location: thanks.htm');
    exit();


  6. #6
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by benisjamin View Post
    Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )

    PHP Code:
    /*Redirects the user to the error page if JS is disabled and the form is submitted*/
    if(empty($firstname))
    {
    header('Location: error.html');
    exit();
    }else
    {
    /* Redirects the visitor to the thanks page */
    header('Location: thanks.htm');
    exit();

    What if something other than the first name is missed out?
    Server-side validation MUST be mandatory, and client-side validation SHOULD be used too.

    First and foremost has to be the server-side PHP validation. Without that, people can cause any strange types of things to happen with your server-server-side script.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  7. #7
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Paul,

    Im getting somewhat confused as to what level of security regarding validation of specific fields in contact forms I should be implementing.

    As a minimum, with my simple contact form, what validation checks should be put in place in order to not receive spam or abuse from a naughty hacker ?

    I look forward to hearing from you on this matter or anybody else should they wish to chip in.
    Last edited by benisjamin; Sep 14, 2011 at 00:59. Reason: grammmmmmer

  8. #8
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by benisjamin View Post
    Im getting somewhat confused as to what level of security regarding validation of specific fields in contact forms I should be implementing.

    As a minimum, with my simple contact form, what validation checks should be put in place in order to not receive spam or abuse from a naughty hacker ?
    Nothing can stop all spam or abuse, but you can make it more difficult for automatic abuse to occur.

    At a minimum, you should ensure that required values are present, and that values are within range of how they're going to be stored. That means that the inputs need to be sanitized, and then validated. You can read more about this side of things in the PHP tips article about Handling Input and Output

    To deal with spammers, there are some easy Captcha's (Completely Automatic Public Turing test to tell Computers and Humans Apart)
    One of my favorites is reCaptcha
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  9. #9
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Paul,

    Thankyou for your wise tips.

    I must admit Im not a fan of reCaptcha as I do sometimes struggle to read the words you have to type in whenever I come across these on sites.
    From that I try to put myself in the shoes of an everyday user, who probably wouldnt stick around to submit a form and move on to the next site.

    Going slightly off topic, I know from previous posts you have replied to, you are abit of a whizz with the old Palavascript :-), so can you possibly recommend any upto date books for beginners on JS and or PHP, I have bought the latest JavaScript and Ajax for dummies by Andy harris, but I need more ? :-)

  10. #10
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,197
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Another layer of protection you can use is an API that checks through all the currently logged spams and bots in the world which is updated daily, a friend and I made a mod for this and so far it has proven to be a 100% success against fighting spammers and bots.

    http://www.stopforumspam.com/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •