Relying on HTML 'required' for simple form validation

Question

My question is simple, I'm writing a simple login/registration form for my website using HTML, PHP and jQuery.

Is it neccesary to write the form validation in PHP also when I could use HTML-s required tag on each input and use PHP to check for username availability and password match?

I believe it is good practice to also have a validation in the back-end but it would appear that the 'required' function in HTML takes care of all that? Can this be misused easily, what are the general drawbacks of solely relying on HTML for simple form validation?

Answer 1

It might help to think of client side validation being a usability issue and the server side validation being a security issue.

Where usability might be described as being a "nice to have", security is definitely a "must have".

Answer 2

Validation on the server is a must

You can pretty things up however by validating on both the client and server so the user gets instant feedback, but yes it is neccesary to do validation in PHP.

Answer 3

You should never rely on the frontend validation. Nor Javascript or HTML. Users can open your reg form, use firebug or some other tool, inspect the text box and DELETE the required attribute. Also can send to your backend POSTed variable, even without opening your frontend

Answer 4

Is it neccesary to write the form validation in PHP also

You can never depend on any form of client side validation. It can always be bypassed.

People might be using browsers that don't support HTML 5 validation attributes, or might use a DOM inspector to remove them.

JavaScript solutions can be trivialy bypassed by turning off JavaScript.

Forms can be copy/pasted, edited and then submitted from a page owned by the user.

HTTP requests can be constructed by hand without going near a form.

etc. etc.

Client side validation can only ever be provided for the convenience of the user. The protection of your systems can only be handled server side.