Form Validation With Js Or Php?

[kensbeijing]

Is it better to use javascript for form validation e.g. max number of characters, letters only etc. or PHP? Which is faster? I am more used to scripting with PHP, or would it be better to use both JS and PHP in case someone has switched off their javascript in the browser?

[Rocky]

I'd use both, but at least use PHP because a user could easily create his own page to submit something to your website that is not valid.JavaScript just makes it more user friendly because the page doesn't have to be reloaded after validating the form.Make sure you use the mysql_real_escape_string() function to prevent any injections into the SQL Database (Google is your friend).

[Synook]

If you want both usability and security, then do both. Why not?But as Rocky said, JS can easily be turned of and requests (even POST ones) easily forged. So you at least need a filter at the server-side to validate data.

[kensbeijing]

How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form).

[jeffman]

Now you know why even the most trivial of blogs and surveys require people to register, verify and email address, and then login before they can actually post data. Like everything else, though, it's just one more imperfect layer of pseudo-safety.The bigger problem is not not illegal posts, as you call them, but attacks, eg., 1000 big posts in 5 minutes, that can clobber your bandwidth and make your host shut down your site. Crackers do that just for fun. You might also want to look into a widget that locks out more than, say, 10 posts/hour from the same IP.Another widget might simply look for unusual activity at regular intervals.Security is a lot of headaches.

[boen_robot]

How do I prevent people from forging the post form?

You can't. It's just the way HTTP works - ANY data gets sent in ANY (undefined) fashion, and A response is sent. What you CAN do is to check the data submitted, and act only upon valid one, and present an error otherwise. The exact response the user agent (be it a browser, search engine or something else) will receive depends entirely on you.A great tool that can enspire you and make you understand (if you haven't already) is Fiddler (see my signature). Just open it, then open IE, go to your form and submit some data. Then go to Fiddler, on the left click the name of your form interpreter, and on the right click "Raw" in both the "Request" and "Response" sections. If your head hasn't exploded after you see (and realize) what's in there, post again.

[Synook]

How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form).

That's what server-side validation is for. The request may get past the client, but will still be caught as it enters the server.

[Synook]

How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form).

That's what server-side validation is for. The request may get past the client, but will still be caught as it enters the server.