Is there a way to make validation with Javascript robust?

Question

I see all those tutorials about how one can use Javascript for input validating (checking to see that the email is valid for example), but nothing is stopping someone from loading the form, disabling Javascript, and then submitting the bad input without passing through the tests.

I tried to think of a way that lets you overcome this, and the best thing I could come up with is having a hidden input field and onsubmit after input validation a special value is inserted there using Javascript. Then if the server sees that it wasn't inserted it can tell that something is wrong.

But again, the js file is sent to the user, they can see the HTML, it shouldn't be too difficult to get around this as well.

The more I think of it the more I'm sure that there's no point in validating things using javascript because you will need to repeat the tests on the server side anyway, which begs the question of why people even bother with Javascript as a validating tool.

Am I missing something?

Answer 1

Client side validation eliminates the need for a network round trip to the server and improves the user experience.

Server side validation protects the data integrity. Never trust the user and rarely trust the programmer.

Answer 2

While server-side validation is a must, client-side validation using Javascript is definitely recommended.

• Interactive feedback. The user can see immediate feedback as to whether or not his input is valid.
• Limit page refreshes. Server-side validation requires a query to the server while client-side does not. Most validation "failures" are due to missed fields or invalid data which can be easily identified by javascript validations.

There are numerous libraries out there that can assist in adding general client-side validation using javascript. Most of them require almost no effort to incorporate into a form.

Answer 3

JavaScript validation can be never trusted. It's a user friendly way to tell the user he fails. http request can always be made to add invalid data. JavaScript is running on the client machine. Clients can not be trusted. They make mistakes, do stupid things that you didn't think of to get around validation, disable javascript so they feel safe, create custom http requests because the feel cool they can "hack", etc. Users are stupid, evil, clumsy, unreliable and sometimes even smarter as you.

Answer 4

Client side validation has the point of providing fast feedback to the user, I don't want to hit submit 100 times just because I typed a phone number wrong or I missed something else.

All client side validation really does is provide a better User Experience, since in the end you can NEVER trust the client.

Answer 5

The only way to make client-side validation robust, is to repeat it on the server.

The reason people bother with client-side validation, is one of user-experience. Client-side validation gives instant feedback - server-side validation does not. Also, in a high-load situation it will help to take some load off the server by not allowing invalid forms to be posted.

Answer 6

JavaScript allows you inform the user about mistakes and misunderstandings without extra network load and waiting time. Of course, it doesn't prevent submission of intentionally wrong or even wrongdoing data, and you need to perform secondary checks on the server side.