Do you validate your forms with javascript or php?

Hi

Newbie here. I have been working on creating a guestbook for my site as
practice and am learning a lot.
Do you guys validate your forms first on the client with javascript and
then on the server with PHP or just use one of the two and if yes which
one?
I don't want to reinvent the wheel too much.

Thanks a lot

Patrick

varois83 wrote:
> Hi
>
> Newbie here. I have been working on creating a guestbook for my site as
> practice and am learning a lot.
> Do you guys validate your forms first on the client with javascript and
> then on the server with PHP or just use one of the two and if yes which
> one?
> I don't want to reinvent the wheel too much.

Javascript + PHP, or PHP alone. Never Javascript alone.

With Javascript you avoid involving the server, so it works faster. But
all the data that gets to the server MUST be validated. All and every
remote vulnerabilities come from bad validation on the server side.

If you want to code validation only once, go for PHP.

>
> Thanks a lot
>
> Patrick
>

.oO(varois83)

>Do you guys validate your forms first on the client with javascript and
>then on the server with PHP or just use one of the two and if yes which
>one?

You can use client-side validation (JS) for convenience, so the user
gets an immediate feedback if something's wrong, but nevertheless you
_must_ validate _all_ submitted data on the server. Never trust any
incoming data.

You might also want to read this:

Javascript form validation – doing it right
http://www.xs4all.nl/~sbpoley/webmatters/formval.html

Micha

Hello,

on 01/04/2005 10:47 PM varois83 said the following:
> Newbie here. I have been working on creating a guestbook for my site as
> practice and am learning a lot.
> Do you guys validate your forms first on the client with javascript and
> then on the server with PHP or just use one of the two and if yes which
> one?
> I don't want to reinvent the wheel too much.

In that case you may want to try this forms generation and validation
class that can perform several common types of validation on the server
side and can also generate the necessary Javascript code to perform the
same types of validation can that be performed on the client site.

http://www.phpclasses.org/formsgeneration

--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html

Dani CS <contusiones.merluza@yahoo.es.quita-la-merluza> writes:

> varois83 wrote:
> > Hi
> > Newbie here. I have been working on creating a guestbook for my site
> > as
> > practice and am learning a lot.
> > Do you guys validate your forms first on the client with javascript and
> > then on the server with PHP or just use one of the two and if yes which
> > one?
> > I don't want to reinvent the wheel too much.
>
> Javascript + PHP, or PHP alone. Never Javascript alone.
>
> With Javascript you avoid involving the server, so it works
> faster. But all the data that gets to the server MUST be
> validated. All and every remote vulnerabilities come from bad
> validation on the server side.
>
> If you want to code validation only once, go for PHP.
>
> > Thanks a lot
> > Patrick
> >

Do both as much as you can. I use HTML_QuickForm which automates this
to a great extent. It has most of the basic validation rules you
could want, and will automaticly run them on both sides for you.

--Zach

"varois83" <varois83@netzero.net> wrote in message
news:1104886029.589024.196510@c13g2000cwb.googlegr oups.com...
> Hi
>
> Newbie here. I have been working on creating a guestbook for my site as
> practice and am learning a lot.
> Do you guys validate your forms first on the client with javascript and
> then on the server with PHP or just use one of the two and if yes which
> one?
> I don't want to reinvent the wheel too much.
>
> Thanks a lot
>
> Patrick
>

Personally, I dislike how client-side validation is usually implemented.
That is, using alert boxes.

*** dong! ***

A good approach I think is to use Javascript to check for missing fields and
use PHP to validate what's actually entered. It's more consistent, since
there could be fields that can only be validated on the server-side (e.g.
duplicated user name). The server can also consolidate and format the error
messages better.

"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:VLydnXNMgeHOeEDcRVn-jQ@comcast.com...
> "varois83" <varois83@netzero.net> wrote in message
> news:1104886029.589024.196510@c13g2000cwb.googlegr oups.com...
>> Hi
>>
>> Newbie here. I have been working on creating a guestbook for my site as
>> practice and am learning a lot.
>> Do you guys validate your forms first on the client with javascript and
>> then on the server with PHP or just use one of the two and if yes which
>> one?
>> I don't want to reinvent the wheel too much.
>>
>> Thanks a lot
>>
>> Patrick
>>
>
> Personally, I dislike how client-side validation is usually implemented.
> That is, using alert boxes.
>
> *** dong! ***
>
> A good approach I think is to use Javascript to check for missing fields
> and
> use PHP to validate what's actually entered. It's more consistent, since
> there could be fields that can only be validated on the server-side (e.g.
> duplicated user name). The server can also consolidate and format the
> error
> messages better.

I disagree completely. All data MUST be validated on the server (including
missing fields) regardless of any EXTRA validation performed on the client
using javascript. This prevents any checks from not being performed simply
because the client has disabled javascript.

Your remark about error messages is also rubbish as ANY message you can
create using javascript you can also create on the server. You do NOT need
javascript to create sexy error messages.

--
Tony Marston

http://www.tonymarston.net

"Tony Marston" <tony@NOSPAM.demon.co.uk> wrote in message
news:crl96r$ivg$1$8300dec7@news.demon.co.uk...
>
> "Chung Leong" <chernyshevsky@hotmail.com> wrote in message
> news:VLydnXNMgeHOeEDcRVn-jQ@comcast.com...
> > Personally, I dislike how client-side validation is usually implemented.
> > That is, using alert boxes.
> >
> > *** dong! ***
> >
> > A good approach I think is to use Javascript to check for missing fields
> > and
> > use PHP to validate what's actually entered. It's more consistent, since
> > there could be fields that can only be validated on the server-side
(e.g.
> > duplicated user name). The server can also consolidate and format the
> > error
> > messages better.
>
> I disagree completely. All data MUST be validated on the server (including
> missing fields) regardless of any EXTRA validation performed on the client
> using javascript. This prevents any checks from not being performed simply
> because the client has disabled javascript.
>
> Your remark about error messages is also rubbish as ANY message you can
> create using javascript you can also create on the server. You do NOT need
> javascript to create sexy error messages.
>

Next time when you disagree with me completely, can you at least read my
post first?

"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:09adnfesd9w2qkPcRVn-1w@comcast.com...
> "Tony Marston" <tony@NOSPAM.demon.co.uk> wrote in message
> news:crl96r$ivg$1$8300dec7@news.demon.co.uk...
>>
>> "Chung Leong" <chernyshevsky@hotmail.com> wrote in message
>> news:VLydnXNMgeHOeEDcRVn-jQ@comcast.com...
>> > Personally, I dislike how client-side validation is usually
>> > implemented.
>> > That is, using alert boxes.
>> >
>> > *** dong! ***
>> >
>> > A good approach I think is to use Javascript to check for missing
>> > fields
>> > and
>> > use PHP to validate what's actually entered. It's more consistent,
>> > since
>> > there could be fields that can only be validated on the server-side
> (e.g.
>> > duplicated user name). The server can also consolidate and format the
>> > error
>> > messages better.
>>
>> I disagree completely. All data MUST be validated on the server
>> (including
>> missing fields) regardless of any EXTRA validation performed on the
>> client
>> using javascript. This prevents any checks from not being performed
>> simply
>> because the client has disabled javascript.
>>
>> Your remark about error messages is also rubbish as ANY message you can
>> create using javascript you can also create on the server. You do NOT
>> need
>> javascript to create sexy error messages.
>>
>
> Next time when you disagree with me completely, can you at least read my
> post first?

Your remark "A good approach I think is to use Javascript to check for
missing fields and use PHP to validate what's actually entered" implies that
you use PHP to validate what is entered and javascript to validate what is
*not* entered. My second remark was wrong as I misread what you had written
(I mentally substituted 'client' for 'server').

Tony Marston

varois83 wrote:
> Do you guys validate your forms first on the client with javascript and
> then on the server with PHP or just use one of the two and if yes which
> one?

I do both. I did only serverside when I started out (mostly because my
knowledge of JavaScript was limited, at best), but soon moved to doing
both consistently. I always keep the thought "never trust the user" in
the back of my head when I develop, so in my humble opinion, validating
with JavaScript is only for convenience in that it saves time (for the
user) and bandwidth (for the site), while validating with PHP is
required to make sure the data received is indeed valid. Allowing people
to have invalid data stored just by disabling JavaScript on their client
is too much of a risk.


Roy W. Andersen
--
ra at broadpark dot no / http://roy.netgoth.org/

"Hey! What kind of party is this? There's no booze
and only one hooker!" - Bender, Futurama