Form/Email Validation: Client-side or Server-side?

Status
Not open for further replies.
bobsoap

bobsoap

Together we can do anyone
Sep 16, 2008
605
16
0
soapdesigned.com
So I am working on this site and I'm constantly wondering which method of form validation/verification is better: JavaScript or PHP? I put together some really nice PHP that sanitizes user input and upon error (e.g. if a required field is empty), it sends an error message via GET back to the form.

Also, which is more secure. I'm not so sure if GET is a good method to pass back variables. In this case, I only have two possible variables - ?success=1 and ?error=1. The PHP script shows an otherwise hidden DIV if one of these is true. Is there potential for vulnerability with this method?

Anyone have experience with this?
 


Validate client side AND server side. I find it best to submit the form onto itself. Then you can validate the input, and if approved, perform your logic and then redirect/display the final message/page.

Passing data around in the GET is okay, just not very clean. You'll also need to sanatize any GET data before you display it on the page to avoid XSS. htmlentities() is your friend here.

Strongly suggested you check out some of the popular frameworks out there. Lots of these boring things like validation will be already handled or will provide helper functions to make things easier. CodeIgniter is my personal fav for PHP.
 
security wise php is always better for forms in my opinion... people can bypass alot of javascript security by simply turning of javascript in their browser... I usually use javascript (ajax) for the aesthetics of the form and then make sure with a php script server side...
 
Validate client side AND server side. I find it best to submit the form onto itself. Then you can validate the input, and if approved, perform your logic and then redirect/display the final message/page.
Click to expand...
I actually looked into PHP_SELF but found a few potential security issues with it. Supposedly it is not hard to inject code... Just google [php self] and the first result you get is about that.

The frameworks are a good idea, I have CodeIgniter bookmarked but I never found any proper use for it. I'll definitely give it a try, thanks for the pointer!


security wise php is always better for forms in my opinion... people can bypass alot of javascript security by simply turning of javascript in their browser... I usually use javascript (ajax) for the aesthetics of the form and then make sure with a php script server side...
Click to expand...
This is what I have been doing most of the time, for the same reasons, but I only use AJAX only when it fits with the overall site. I don't find it necessary to slap it on everything just because it's there.

Thanks for your feedback guys :)
 
Status
Not open for further replies.
Top Bottom