kensbeijing Posted January 27, 2009 Share Posted January 27, 2009 Is it better to use javascript for form validation e.g. max number of characters, letters only etc. or PHP? Which is faster? I am more used to scripting with PHP, or would it be better to use both JS and PHP in case someone has switched off their javascript in the browser? Link to comment Share on other sites More sharing options...
Rocky Posted January 27, 2009 Share Posted January 27, 2009 I'd use both, but at least use PHP because a user could easily create his own page to submit something to your website that is not valid.JavaScript just makes it more user friendly because the page doesn't have to be reloaded after validating the form.Make sure you use the mysql_real_escape_string() function to prevent any injections into the SQL Database (Google is your friend). Link to comment Share on other sites More sharing options...
Synook Posted January 28, 2009 Share Posted January 28, 2009 If you want both usability and security, then do both. Why not?But as Rocky said, JS can easily be turned of and requests (even POST ones) easily forged. So you at least need a filter at the server-side to validate data. Link to comment Share on other sites More sharing options...
kensbeijing Posted January 28, 2009 Author Share Posted January 28, 2009 How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form). Link to comment Share on other sites More sharing options...
jeffman Posted January 28, 2009 Share Posted January 28, 2009 Now you know why even the most trivial of blogs and surveys require people to register, verify and email address, and then login before they can actually post data. Like everything else, though, it's just one more imperfect layer of pseudo-safety.The bigger problem is not not illegal posts, as you call them, but attacks, eg., 1000 big posts in 5 minutes, that can clobber your bandwidth and make your host shut down your site. Crackers do that just for fun. You might also want to look into a widget that locks out more than, say, 10 posts/hour from the same IP.Another widget might simply look for unusual activity at regular intervals.Security is a lot of headaches. Link to comment Share on other sites More sharing options...
boen_robot Posted January 28, 2009 Share Posted January 28, 2009 How do I prevent people from forging the post form?You can't. It's just the way HTTP works - ANY data gets sent in ANY (undefined) fashion, and A response is sent. What you CAN do is to check the data submitted, and act only upon valid one, and present an error otherwise. The exact response the user agent (be it a browser, search engine or something else) will receive depends entirely on you.A great tool that can enspire you and make you understand (if you haven't already) is Fiddler (see my signature). Just open it, then open IE, go to your form and submit some data. Then go to Fiddler, on the left click the name of your form interpreter, and on the right click "Raw" in both the "Request" and "Response" sections. If your head hasn't exploded after you see (and realize) what's in there, post again. Link to comment Share on other sites More sharing options...
Synook Posted January 30, 2009 Share Posted January 30, 2009 How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form).That's what server-side validation is for. The request may get past the client, but will still be caught as it enters the server. Link to comment Share on other sites More sharing options...
Synook Posted January 30, 2009 Share Posted January 30, 2009 How do I prevent people from forging the post form? Surely with the validation and that, they can still post valid data illegally (not using the form).That's what server-side validation is for. The request may get past the client, but will still be caught as it enters the server. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.