homepage Welcome to WebmasterWorld Guest from 54.167.244.71
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Validation - Server-side vs JS?
neophyte




msg:3351048
 10:56 am on May 27, 2007 (gmt 0)

Hello All -

I'm trying to settle on a type of coding routine that I can learn, be comfortable with, and then use for any project that comes my way.

Next up on the list is what type of validation I should use post-form-submission. I've slaved for weeks over one php-based concept that works very nicely (the form is re-called upon submit and any required fields not filled in - or not filled in correctly - are highlighted in red with the previous field content re-displayed.). Very nice and I was quite proud of myself.

Then I was reading somewhere that server-side validation shouldn't be used because of increased server strain. Darn! So, I bow to the feet of the masters here to get their opinion. On the one hand, I really like .php and use it for everything I can; conversely, I don't know a lick of JS to save my life and am concerned over the possibility that some (yes, apparently very, very few) users have js. disabled in their browsers - even though this is apparently pretty unlikely, when you're doing a business application that NEEDS correct validation, this could become a real problem real fast.

the type of forms I typically deal with aren't that long; however, I'm on a project now with tons and TONS of forms that a user needs to fill out - and which need validation - and so the "server-strain" question is beginning to gnaw at me.

The thought, as well, of re-doing all my php validation work in JS doesn't, as one might imagine, thrill me either.

So, what do the good guys and gals here say about this topic?

Neophyte

 

victor




msg:3351052
 11:19 am on May 27, 2007 (gmt 0)

Any data that reaches a server is untrusted data, and must be fully validated.

Even if you have client-side JS that does the validation, you cannot be sure that someone has not sidestepped the JS (or has an older (or newly minted, badly debugged) browser that does not execute the JS correctly.

Perhaps the best of both worlds is:

* full client-side JS validation with copious error / correction messages -- so you can offer people immediate feedback on problems

* full server-side PHP validation -- so you can ensure dirty data does not pollute your database. The error / correction messages can be less comprehensive as you expect few users to ever see them as most data was filtered through the JS validation.

But if you only do one, do server-side. If the server is being strained: get a bigger one, or look at load balancing.

barns101




msg:3351057
 11:22 am on May 27, 2007 (gmt 0)

I've never heard of server-side validation causing server strain. OK, the more the server has to do, the more "strain" it is technically under. But validating a few forms? No problem!

You MUST validate server-side if you want your forms and server to be secure. People can disable JavaScript and completely bypass any client-side validation in 2 seconds.

I personally validate both with JavaScript so that any legitimate user errors can be picked up immediately, and then server-side with PHP so that "naughty" users are also caught.

neophyte




msg:3351620
 10:30 am on May 28, 2007 (gmt 0)

victor and barns101 -

Thanks for you input, and your three comments below have pretty much made up my mind on how to approach the entire validation question:

Even if you have client-side JS that does the validation, you cannot be sure that someone has not sidestepped the JS (or has an older (or newly minted, badly debugged) browser that does not execute the JS correctly.

People can disable JavaScript and completely bypass any client-side validation in 2 seconds.

...validating a few forms? No problem!

I must admit that I'm surprised that only the two of you weighed in on this topic... but considering this is the case, however, I will assume that others that have viewed this thread are in silent agreement with your counsel; I suppose as well that the "overloaded server" issue I had read about (somewhere) was either a red-herring or something that I simply mis-read.

Thank you both for your guidance; I guess until I have more time to learn JS (not very likely at this point) I now feel secure enough to stick with my php-only validation routine.

Thanks to you both!

Neophyte

CDNQuilter




msg:3351903
 6:25 pm on May 28, 2007 (gmt 0)

If validating your form overloads your server then you need a new server! ALWAYS validate server side.

Adding validation with javascript will both speed things up for the user and reduce the server load by ensuring valid data normally hits the server. This would reduce server load if you have a form that usually needs corrections.

BUT test your server validation with javascript disabled.

I regard my javascript validation as 'icing on the cake' and server validation as the main course!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved