Reputation: 7041

To what extend should I rely on client-side validation?

I have a lengthy form which heavily uses client-side validation (written in jQuery). To prevent users with disabled JavaScript submitting the form, I have included a hidden field which is populated with "javascript_enabled" value by jQuery. If JS is disabled in the browser, then the filed is left blank and the form will not be submitted.

The question is - is this enough and I should feel safe, or do I have to include a server side validation for every field too?

Upvotes: 3

Answers (4)

Jack

Reputation: 15872

All of the above answers are valid, I just want to add a couple of points.

Client Side

Client-side validation can be used to give instantaneous feedback to the user without the need for additional requests to the server (Lower Traffic).
Client-side validation can be easily bypassed. (Disable JavaScript, Custom HTTP Requests, Access using e.g. CURL)

Server Side

Can not be bypassed (Unless you've left an exploitable piece of code)
Good server side validation can prevent potential threats such as XSS, and SQL Injection. (Can lead to obtaining other users data, or break your database)

How I believe this will change

I'm looking forward to further development of the WebSocket protocol and for it to become more widely used.. WebSockets allow for a two way (full duplex) connection, meaning it will be incredibly efficent to validate from the server-side for example every time a key is entered into an input field. Hopefully this approach will do away with client-side validation!

Upvotes: 4