If i use javascript submit() method to submit a form, the form will only be posted with javascript enabled, but i want make sure that is actually true.
So my question is, do i need to do php validation because that might be some vulnerabilities i might not know about ? Is that enough ?
Add a comment
|
5 Answers
So my question is, do i need to do php validation because that might be some vulnerabilities i might not know about ?
Yes, you do. You can't blindly trust anything coming from the client, it can be entirely spoofed.
Off-the-cuff ways I could spoof what you're describing:
- A bookmarklet that changed form values and then did the submission
- Sending the HTTP request using curl or similar
- Using the JavaScript console to modify values before sending
I'm sure there are others.
Here's an example of just how easy the bookmarklet is:
javascript:(function(){var f=document.forms[0],e=f&&f.elements[0];if(e){e.value="My nefarious value";f.submit();}})();
That sets the value of the first element on the first form of the page to "My nefarious value" and submits the form.
Comments
Try disabling javascript in your browser and do form submitting.And you can see your javascript validations work or not and then you will understand the neccesity of server side validations.
Javascript will execute on client side and never rely on that. But php executes on server and its not possible to modify php in the server.but javascript is. If you disable js on the browser and do a form subitting then you can see that none of the javascript code will work.But if you had written a server side validation then it will work.
Also for your information:- Never trust the cilent.
1 Comment
Fábio Linhares
I tried that, but my question is more like, if you guys know of any software or firefor extention that could make this vulnerable to hacks
Always ALWAYS validate any input on the back-end.
Any js validation can be bypassed and data may be forced to be posted.
When validating input you may need to:
- Escape special symbols in strings (using such functions as real_escape_string)
- Cast data to a different datatype.
- Perform some cleaning operations (trim, remove tags, etc)
Comments
As far as i know the submit() method submits the form (same as clicking the Submit button)(src w3c) and its not related to validation naturally unless you write some javascript validation code.
Now as you must be aware Javascript will only do client side validation.so what if in some browsers javascript is not enabled????
So it is always the best idea to do server side validation.
but it doesnot mean we shouldnot do client side validation:
1:client side validation reduces lots of burden from the server. for example if user fills wrong input in the form he/she will be right away informed.
2:it also makes your web application more interactive.
So u should use both client side as well as server side validation.but never rely only on client side.
Comments
You validate on the client side only to be more user-friendly (no need to reload the entire page) and bandwidth friendly (you save client-server round-trip for invalid data). That's pretty much it.
What really matters for security and data integrity of your application is the server-side validation, so you must never skip that. Client-side can be skipped without anything terrible happening, but never server-side
