SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Form validation for when JS is disabled Help required

    Hi all,
    Ive just realised that from somebody checking out my new portfolio website and managing to submit an empty contact form, the contact form has Javascript active, and will throw up an alert if the name category has not been completed on clicking the submit button. I completely forgot to consider the fact that when JS is disabled in the browser the form can still be submitted completely empty, so my question is the obvious one, how do I stop the form from getting sent if JS is also disabled ?

    my domain is BFdesigns | Freelance Website Designer | Bromsgrove Worcestershire should anyone wish to test it for themselves.


    Thanks all

    Ben

  2. #2
    SitePoint Member
    Join Date
    Feb 2010
    Location
    Arkansas, USA
    Posts
    22
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to run the validation in your php code as well. If it does not validate, let the user know just like you do with the redirect to the thanks page.

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,784
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Any form validation done using JavaScript is there only for the convenience of the person filling out the form so as to save them having to wait until they submit the form to find out they entered everything wrong.

    The real validation of the form always needs to be done on the server as if you don't validate the data when you first receive it on the server you have no way of telling what it contains (as it need not have even come from your form).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by benisjamin View Post
    how do I stop the form from getting sent if JS is also disabled ?
    Even if javascript is enabled, you still must do server side validation to protect your data and its integrity.

    Someone can easily just view the html source and get the url of the form processing script from the form's action attribute. They can then send whatever data they like to the form processing script, as a GET or POST, without even opening the page containing the html form.

    Bottom line: always do server side validation. Client side validation (javascript) is optional.

  5. #5
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi guys,
    Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )

    PHP Code:
    /*Redirects the user to the error page if JS is disabled and the form is submitted*/
    if(empty($firstname))
    {
    header('Location: error.html');
    exit();
    }else
    {
    /* Redirects the visitor to the thanks page */
    header('Location: thanks.htm');
    exit();


  6. #6
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,676
    Mentioned
    99 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by benisjamin View Post
    Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )

    PHP Code:
    /*Redirects the user to the error page if JS is disabled and the form is submitted*/
    if(empty($firstname))
    {
    header('Location: error.html');
    exit();
    }else
    {
    /* Redirects the visitor to the thanks page */
    header('Location: thanks.htm');
    exit();

    What if something other than the first name is missed out?
    Server-side validation MUST be mandatory, and client-side validation SHOULD be used too.

    First and foremost has to be the server-side PHP validation. Without that, people can cause any strange types of things to happen with your server-server-side script.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  7. #7
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Paul,

    Im getting somewhat confused as to what level of security regarding validation of specific fields in contact forms I should be implementing.

    As a minimum, with my simple contact form, what validation checks should be put in place in order to not receive spam or abuse from a naughty hacker ?

    I look forward to hearing from you on this matter or anybody else should they wish to chip in.
    Last edited by benisjamin; Sep 14, 2011 at 00:59. Reason: grammmmmmer

  8. #8
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,676
    Mentioned
    99 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by benisjamin View Post
    Im getting somewhat confused as to what level of security regarding validation of specific fields in contact forms I should be implementing.

    As a minimum, with my simple contact form, what validation checks should be put in place in order to not receive spam or abuse from a naughty hacker ?
    Nothing can stop all spam or abuse, but you can make it more difficult for automatic abuse to occur.

    At a minimum, you should ensure that required values are present, and that values are within range of how they're going to be stored. That means that the inputs need to be sanitized, and then validated. You can read more about this side of things in the PHP tips article about Handling Input and Output

    To deal with spammers, there are some easy Captcha's (Completely Automatic Public Turing test to tell Computers and Humans Apart)
    One of my favorites is reCaptcha
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  9. #9
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Paul,

    Thankyou for your wise tips.

    I must admit Im not a fan of reCaptcha as I do sometimes struggle to read the words you have to type in whenever I come across these on sites.
    From that I try to put myself in the shoes of an everyday user, who probably wouldnt stick around to submit a form and move on to the next site.

    Going slightly off topic, I know from previous posts you have replied to, you are abit of a whizz with the old Palavascript :-), so can you possibly recommend any upto date books for beginners on JS and or PHP, I have bought the latest JavaScript and Ajax for dummies by Andy harris, but I need more ? :-)

  10. #10
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Another layer of protection you can use is an API that checks through all the currently logged spams and bots in the world which is updated daily, a friend and I made a mod for this and so far it has proven to be a 100% success against fighting spammers and bots.

    http://www.stopforumspam.com/

  11. #11
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,676
    Mentioned
    99 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by benisjamin View Post
    Going slightly off topic, I know from previous posts you have replied to, you are abit of a whizz with the old Palavascript :-), so can you possibly recommend any upto date books for beginners on JS and or PHP, I have bought the latest JavaScript and Ajax for dummies by Andy harris, but I need more ? :-)
    You're in luck then, for we have a sticky thread that's called JavaScript Books Help

    For example, check out our very own Simply JavaScript, Jeremy Keith's DOM Scripting book, or his Bulletproof AJAX book, or David Flanagan's book, JavaScript: The Good Parts

    For more in-depth material, I also highly recommend the video series from Douglas Crockford, called Crockford on JavaScript, or the book JavaScript: The Definitive Guide
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  12. #12
    SitePoint Zealot
    Join Date
    Feb 2011
    Location
    The land of nod
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers to Sgtlegend for the link, do you want all my blocked email address`s from my hotmail account, must have close on 700 :-)

    Also thankyou to Paul for the book links, will definately make sure I got through them all and blow some hard earned cash.

    This question kind of goes to anybody and everybody, should I tackle Javascript and get that under my belt before I start on PHP ? or, should I do both at the same time, will the one help me to undertand the other ?

    Im in a need to grasp the basics of both as quickly as possible.

  13. #13
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,676
    Mentioned
    99 Post(s)
    Tagged
    4 Thread(s)
    You would be better off learning about PHP first. When it comes to computer security, server-side security is vitally important, compared with JavaScript which is primarily for providing an improved experience for the user.

    There's no point focusing on JavaScript first if you've left the server insecure and wide open to exploitation. So my advice is PHP first, and then JavaScript.

    Even better might be to employ someone to do parts of the job for you who already knows about what dangers to protect against, but that's a different topic.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  14. #14
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by benisjamin View Post
    This question kind of goes to anybody and everybody, should I tackle Javascript and get that under my belt before I start on PHP ? or, should I do both at the same time, will the one help me to undertand the other ?
    Since in this case you have an instant need for server side processing, I agree with paul wilkins and you should tackle learning php first since javascript validation is optional, but obviously advisable from ux point of view.

    But if you were learning website development without a particular project to work on at the same time then I would suggest learning javascript first before php in order to make your web pages interactive and/or functional without having to submit data or to actually redirect to another url. Then when you have a reasonable grasp of html, css and javascript, you could tackle learning php.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •