I have a form on my site where users can make new accounts. The "submit" button on the form is not a true submit button. It's an html type='button'. when this is clicked I use the jquery:
('#form').submit(); to submit the form. If javascript is disabled, the form can't submit because the "submit" button is only a button and nothing happens. I was wondering if this type of security is truly secure or are there ways of still submitting this form?
-
You're considering this secure?j08691– j086912012-01-18 03:24:42 +00:00Commented Jan 18, 2012 at 3:24
-
You don't have any security at all. Submitting a form has no special meaning. Anyone can still send you any HTTP POST or HTTP GET request they want.Paul– Paul2012-01-18 03:25:47 +00:00Commented Jan 18, 2012 at 3:25
Add a comment
|
3 Answers
You can still trigger the submit event by opening the console and typing
document.forms[0].submit()
Security on the client is never truly secure without help from server-side validation.
3 Comments
user400654
you could even create a new form, move the input elements from the old form to the new one you created, append to body, and submit, bypassing all submit events you could possibly define on the other form.
kirby
are you saying the user can write his/her own html on top of mine?
user400654
Yes, anything you can do with html/css/javascript, the client can do.
NO. Relying on ANY client side (or lack there of) validation is never secure
Comments
User can change type='button' to type='submit' easily.
The true security comes from the server side.
