validation of input data in php - javascript

Question

I want to validate the data that the user enters in a form. I have only a username and two fields for the password. My first question is that I check the data with javascript and it works fine, but i want to check the data with php too incase javascript is not working. In case the javascript is not working the data will be checked from the php code, but my problem is that if javascript is working then the data will be checked from javascript and php too. Is this fine? Is there any way to avoid checking with php when the input data are checked by javascript? Also I am checking the inputs(username and password) for the number of characters, for characters(i don't permit special characters, only "_", "." numbers and letters in order to avoid sql injection) - how does it sound to you? Do you have any other suggestion for better validation?

Thank you in advance.

Answer 1

This is actually good, you can never do too much validation in my opinion. Client side scripting can be manipulated by anyone with web development experience but server side scripting cannot.

client side scripting validation pros:

• Alerts the user before submitting data allowing them to correct themselves
• Makes your site look a little more sophisticated

server side validation pros:

• no one can change any validation rules you have
• they cannot turn off server side validation.

In short, doing both is good, it's actually better than just doing one or the other.

Answer 2

You should always perform server side validation. There is no guarantee that client-side validation (such as javascript validation) cannot be defeated. It's a simple exercise to grab a debugging tool (any many are built into browser nowadays) and circumvent javascript validation.

Typically there is nothing wrong and is even recommended to do validation in both places in Javascript and PHP.

Answer 3

Yes, you should validate both client-side (JS) and server-side (PHP).

Do so on the client for convenience for your user and for a better user experience.

Do so on the server to prevent a malicious attack, or, as you stated, in case your user has JS disabled.

Answer 4

Checking both ways is fine and definitely recommended. If you wanted to avoid checking with PHP if Javascript is enabled, you could append a hidden field to the form and check for this with PHP.

E.G.

if(!isset($_POST['js_hidden_field'])) {

    // Run Validation 

}

So you check for the hidden field, if it's not set then run the PHP Validation

Answer 5

You should always do a serverside(php) validation of userinput. a clientside(javascript) validation is only good for a better user-experience. Also you should not restrict the input to some characters for mysql injection prevention, there are other reliable methods for this.