Hey all,
I’m new to server-side validation. Can you use javascript as a server-side validator AND a client-side validator? What if the user has javascript turned off? Can they bypass the server-side validation?
You might be able to use node.js for server-side validation, but don’t quote me on that… I’ve never actually tried to use node.js.
Meanwhile, I highly recommend using a server-side scripting form of validation (PHP, ASP, ColdFusion) in addition to client-side validation. The client-side validation helps cut down on bandwidth usage and server CPU use; then use the server-side validation for those who disable JavaScript. Just my $0.02 worth.
It’s not the best practice.
What if the user has javascript turned off? Can they bypass the server-side validation?
Bingo. Javascript can always be manipulated and/or bypassed on the client side. Server-side validation can’t be bypassed by the client.
Javascript validation is primarily for the user’s benefit and convenience.
Thanks for your response. I expect that the user can bypass client-side if they have javascript turned off, but that’s why we have sever-side validation. When we speak of “Javascript”, are we also talking about AJax? So, do client-side validation with jquery and then the server stuff with Ajax? Is that a good workflow?
ANYTHING Javascript (jQuery and AJaX included) is client-side. If JavaScript is disabled, jQuery (a JavaScript library) and AJaX are disabled.
Server-side solutions are numerous, but it means learning a new development language (ASP, JSP, PHP, ColdFusion, etc.)
Best practice is to use both server-side and client-side. And while jQuery is decent validation, I much prefer to write my own validation scripts. Much more granular control, IMHO.
JQuery is written in Javascript, so if it has been turned off or is a browser that does not understand JavaScript or doesn’t use JavaScript then your validation is stuffed.
The most you should be doing client side is to have fields checked to ensure that you are looking for a specific set of data, that is all.
AJAX is JavaScript, so it will need JavaScript to be enabled on the clients machine to use.
Server-Side scripts are generally PHP, any validation should be done at the server using a specific script to reject a page if anything hinkey is going off.
When using a server-side to validate, use a whitelist of fields you expect, if you find that you have for example 8 fields in a 6 field form, then its likely the server is being given data from a client that is up to no good.
If you can, implement a secure page policy by writing in atleas two fields, one being a hash that can be reconstructed at the server as a check and a dummy field that is not to have an data in it, is readonly and should be empty when checked at the server.
So here is a quick direction pointer…
<?php
// Page issue
$salt = md5( base64_encode("my_top_secret_string_as_a_security_string") . $_SERVER['REMOTE_ADDR']);
$url = base64_encode( time() );
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form name="dvd" method="post" action="process.php?q=<?php echo $url;?>" enctype="multipart/form-data" >
<input name="pageid" type="hidden" value="<?php echo $salt;?>" readonly />
<input name="userlogin" type="hidden" value="" readonly />
<input name="email" type="text" value="" />
<input name="check" type="password" value="" />
<input name="submit" type="button" value="Submit" />
</form>
</body>
</html>
Will produce a page like
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form name="dvd" method="post" action="process.php?q=MTM5NTUxMzYzOA==" enctype="multipart/form-data" >
<input name="pageid" type="hidden" value="2f600fe1f16b6093fbf2fea2d33729a4" readonly />
<input name="userlogin" type="hidden" value="" readonly />
<input name="email" type="text" value="" />
<input name="check" type="password" value="" />
<input name="submit" type="submit" value="Submit" />
</form>
</body>
</html>
Which will give you as part of the data to the processing script some information about who the page was issued to and what time the page was issued. All your receiving script needs to know is how to create the hash string to check that the hashes match and then test the query string to see if too much time has passed.
Not many situations exist where a users IP address changed, so the risk of not being accessible is minimal.
Golden rule of validation, if in doubt, reject.