Question about when to validate server side when post form data with ajax

Sort of a hybrid js / php question…

So I had a PHP page that posted form data to itself. on submit, i validated with js and there was server side validation too. everything was fine. Then I was asked to post the data to an ajax page instead. Now I’m confused as to where and when to validate with javascript and server side code.

Right now, I validate with javascript before actually sending the data to the ajax/PHP page, and on that PHP page I do server side validation. But, if javascript is turned off, shouldn’t I still have the form post to the same page and also have PHP validation there? But then I have PHP validation code in 2 places?

I’m confused.

Thanks for your help.

You should always validate server side otherwise someone can carefully craft a bogus web page to circumvent your security. Javascript validation is only to make the user experience a smoother and more responsive one. It’s not a substitute.

of course.

My question is more about where to put your server side validation when you submit a form to a PHP page via ajax.

If I put in that ajaxed PHP page and in the same .php file as the form ( in case js is off ) then I have server side validation code in 2 different spots / double code.

So where do you put server side validation code when you submit form data via ajax?

The same place.

Use a class to handle the action, i.e. create account, edit something etc. and keep the validation inside the class. That way you just initiate the class both locations and pass along the content, either by a normal form or by ajax.

You should have a separate validation class that handles only validation. This way you have some reusable code and your are not over complicating your PHP code that handles the AJAX call with unrelated logic. For example if you have a AJAX call to, like TheRedDevil suggested, create an account you want the PHP script that handles the account creation to only handle the account creation, this way your methods only have one purpose and it will make your code a lot cleaner, scalable and testable.

ok thanks. so i should instantiate my validation class in 2 places?

both the ajax page before data is inserted to the database, and in the same .php file as the form so in case javascript is off and form submits to self, there still validation?

I would do it just the once, before the data is inserted into the database. If for whatever reason javascript is turned off the nothing should happen or a error should be displayed. I wouldn’t worry about that too much anyway, i doubt many people have javascript turned off these days because most websites need it to function.

Only badly written web sites.

Also there are plenty of people who deliberately turn JavaScript off because of all the broken scripts out there that prevent the web page they are on from working properly unless JavaScript is disabled.

More of the web works with JavaScript turned off than works with JavaScript turned on. Fortunately modern browsers allow you to turn it on and off automatically on a site by site basis.

Really? I have never been on a website that had a script error that broke the site. Even if I did I would never visit that site again.

So you’ve never visited a Google site? The JavaScript they use is attrocious and broken in most browsers. If Google sites work for you then you must be using one of the two or three browsers they tested with and have all your browser configuration set to exactly match what they tested with.

The Google JavaScript is so badly written that I have JavaScript turned off for most Google sites. Search works better without JavaScript. AdSense works with JavaScript (one of the few that do). GMail is broeken either way.Google+ works either way provided that the browser spoofs a Chrome useragent.

Just a hunch, but I think Google’s sites work for the vast majority of people. Can you elaborate on what browser and version you’re using and what issue you encounter?

Sorry everyone, the way I’m laying out this form submission flow just feels dirty…

for javascript off:

  • the form submits to self and there is server side validation before inserting to the database - no issues here.

for javascript on:

  • javascript first validates the data and if it’s ok, then sends the data via ajax to a php page where i have identical server side validation as in the js off version.

so is it normal to validate server side in 2 places like this to compensate for js on and off.

It’s normal, yes, but just like you, many people don’t like having to maintain the same validation logic in two places. One way people have gotten around that is to use ajax to submit the form behind the scenes and check the server’s response. This way, your JS is deferring the validation logic to the server.

Internet Explorer 8, 9, 10, 11, Firefox (latest version), Opera 12 & 19 and Chrome (latest version)

Mostly the Google sites say that my browser isn’t supported because their sites use JavaScript that is so out of date that it was considered obsolete in Netscape 3 and so as soon as you start using the options the browser makes available for modifying how the browser works their code no longer recognises the browser…

Those all work for me*, and for seemingly everyone else too. Can you get more specific? Can you describe a reproducible scenario?

* Except I can’t vouch for Opera, which I haven’t tried

ok, thanks.

last question with js on, i validate with js, then how would my server side validation ever fail? isn’t client side validation and using mysql_real_escape_string() enough?

Nope, because malicious users can bypass JS. Sometimes easily by just turning it off in the browser. Or sometimes they write a little script that lets them have full control over every part of the HTTP request. Your server side code can’t make any assumptions about the data it’s receiving. A malicious user could literally send any random data they want.

If a legitimate user uses your site in a legitimate way, then you’re right, your server side validation will likely never fail. It’s the illegitimate users you have to worry about. :wink:

I have no idea as to why they don’t work. I can’t even remember all of the dozens of customisations that I have applied to the various browsers over the years to get them to work the way I want. I do know that all of the customisations are ones that the various browsers support via setting changes.

All of the extra JavaScript that my browsers load into every web page are written to be completely unobtrusive so that can’t be the cause.

Well, for example, I could change my browser’s default CSS rendering in a way that would probably break lots of sites. But that doesn’t mean all those other sites are to blame. When you start tweaking the browser, then you have to start accepting some of the responsibility for how it works.

Just changing the settings that the browser provides in the options/properties shouldn’t break anything though.

I agree that changing the default CSS of JavaScript makes it your responsibility if that breaks the site but as I said the JavaScript I add is unobtrusive so that it can’t be the cause.