Welcome Guest, Not a member yet? Register   Sign In
Javascript Validation Security

This isn't really a codeigniter development question but this is by far the best forum I have ever joined so I thought someone could probably provide me an excellent answer to my question.

I've been using javascript validation for all my forms on the website i'm currently developing until this point. I did this for two main reasons: 1. because its client side so its less work my server has to do and 2. because i cant make it look really cool and user friendly and dynamic etc...

I'm wondering if there are any security risks. Particuarily if someone just turned javascript off on their browser would all my validation be broken. Is it okay to just refuse to allow non javascript enabled browsers to use my website? If so, is there a header or something which would allow me to discern whether a user has javascript enabled or not.


Because javascript can be turned off it's not secure to only do javascript validation. You always should back it up with server validation. This will create some overhead but it's better than a hacked site.

The question if it's ok to refuse people that don't have javascript turned on depends on which audience you are targeting. If you are sure all the users have a computer and a a-class browser you could refuse users. If you have the biggest audience possible in mind you have to go with the lowest common denominator and allow non javascript users.

Use it, never rely on it, un-trusted client side validation is the worst thing to rely on; you must do the same checks on a second trusted (i.e. server) layer.

As the people above have said, it is never a good idea to rely solely on javascript for validation. If for some reason, javascript were to be turned off or bypassed via a malicious or oblivious (more commonly the second) user, potentially harmful data could get into your database. For example, if you are using javascript to ensure that the email address the user is signing up with is unique, but for some reason javascript fails, you could wind up with duplicate email addresses in your table which would only cause nightmares down the road. Integrity of the data within your database is worth the extra (albeit minimal) load placed on your server to validate the data.

Thanks for the quick replies.
I think i'm going to use javascript for purely aesthetic purposes and then have the validations again on the backend of the script.

Theme © iAndrew 2016 - Forum software by © MyBB