0

I know js validation is for client side and php validation is for server side. User can skip the js validation and submit but is it possible when I am getting the action php file in ajax?

I mean I am using the following code to validate the form. as you see I am calling postProjectAction.php in the ajax.. If an user skip the JS/disable the js and submit the form, form won't be submitted because,

  1. my form has no action
  2. the form data will not be inserted or submitted to the database if the postProjectAction.php is not called. when user disable the js the code won't call the postProjectAction.php

so there is no chance to submit the form. Is this still insecure?

html:

<form id="form_validation" method="POST">
</form>

js validation:

$(document).ready(function() {

    $("#form_validation").submit(function() {
                if ($("#form_validation").valid()) {
                    var data1 = $('#form_validation').serialize();
                    $.ajax({
                        type: "POST",
                        url: "postProjectAction.php",
                        data: data1,
                        success: function(msg) {
                            console.log(msg);
                            $('.messagebox').hide();
                            $('#alert-message').html(msg);
                            $('.messagebox').slideDown('slow');
                        }
                    });
                }
                return false;
            });     
});
Improve this question
4
  • Yes, consider a scenario where someone else use this url to spam Commented Dec 26, 2017 at 6:16
  • sometimes due to low network connection some js file will not loaded properly so in this condition user can't able to submit the form.so it is better to use both side Client and server validation Commented Dec 26, 2017 at 6:17
  • My rule of thumb is that almost nothing done on the front end ever involves security because it can all be modified by the end user. If at any point you need something for security, that's when I start looking at server side. Commented Dec 26, 2017 at 6:27
  • Simple rule: don‘t trust the client! Commented Dec 26, 2017 at 20:31

3 Answers 3

Reset to default
1

Well PHP validations are at server end while JQuery are at front end.

So its basically depend on need or requirements.

Bots can break front end validations while its bit difficult to break server end validations.

Bottom line, doing server side validation is making more secure :)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

did you read " If an user skip the JS/disable the js and submit the form, form won't be submitted because, my form has no action the form data will not be inserted or submitted to the database if the postProjectAction.php is not called. when user disable the js the code won't call the postProjectAction.php" how it is going to be insecure when there is no any way to submit the form even the js is broken?
Well, in view source of that page i can easily see the action php file and make a link along fields :)
@Riffaz But someone could look at the code, see the name of the PHP file and start sending POST data to it and ignore all the javascript. Which means the answer to the OP question about secure is that no, it's not still secure technically.
@Riffaz Starr: The hacker is not going to use your HTML or JS so it doesn't matter what your HTML/JS prevents. The hacker is just going to look at your code to see what URL and variables are POSTed to your server. Then he will send the POST using other code or a tool like curl.
1

Yes, your form is still insecure. A user need not disable JavaScript or even submit your form to bypass the validation implemented.

Your code does validation only when the form is submitted. A user can simply paste the below code to the browser console and run it to post data without doing any validation.

var data1 = $('#form_validation').serialize();
$.ajax({
        type: "POST",
        url: "postProjectAction.php",
        data: data1,
        success: function(msg) {
            console.log(msg);
            $('.messagebox').hide();
            $('#alert-message').html(msg);
            $('.messagebox').slideDown('slow');
        }
    });

This is just one of the many ways validation on your form can be bypassed. It is always a good practice to validate all data coming from the client side.

Improve this answer

Comments

0 
$(document).ready(function() {

    $("#form_validation").submit(function() {
                if ($("#form_validation").valid()) {
                    var data1 = $('#form_validation').serialize();
                    $.ajax({
                        type: "POST",
                        url: "postProjectAction.php",
                        data: {data1:data1},
                        success: function(msg) {
                            console.log(msg);
                            $('.messagebox').hide();
                            $('#alert-message').html(msg);
                            $('.messagebox').slideDown('slow');
                        }
                    });
                }
                return false;
            });     
});

edit postProjectAction.php

if(!$_POST['data1'] OR !$_POST['blalbla']) header("HTTP/1.0 404 Not Found");
else{Your actions}
Improve this answer

1 Comment

One thing I sometimes do to protect from some bots is to use a honeypot. A hidden input field which is blank. If the php script sees it as not blank, then it will reject the request since a human would not input data into it. Even fancier is using javascript to hide the field after it loads in case a bot is smart enough to ignore hidden fields.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.