client and server validation

ringo747 · 24 Jan 2007 at 14:22

hi,

im writing a cms for uni project and just looking for some info on validation.

I was thinkin of using ajax for real-time client side validation. Is this probably the best technology to use? cms will be written in PHP.

I'm not very sure about what takes place on server validation though. Surely client side validation will ensure validity of data unless parameter values are hacked or suchlike. Anybody advise me on how to go about server validation?

I'm currently looking into preventing sql injection attacks etc.

Thanks in advance.
Jonny

Beansprout · 24 Jan 2007 at 14:36

jonnyc747 said:
Surely client side validation will ensure validity of data unless parameter values are hacked or suchlike. Anybody advise me on how to go about server validation?

Hackers won't use your pretty site to send data. They'll fire off HTTP requests filled with evil stuff. So check on the server; use client-side javascript checking to reduce server load caused people who've just made typos etc - this also makes things easier for them, as they don't need to wait for a page load.

ringo747 · 24 Jan 2007 at 15:19

Beansprout said:
Hackers won't use your pretty site to send data. They'll fire off HTTP requests filled with evil stuff. So check on the server; use client-side javascript checking to reduce server load caused people who've just made typos etc - this also makes things easier for them, as they don't need to wait for a page load.

thanks for that. is server validation just checks to ensure that the data sent is of a valid type and is stripped off all /\'" characters?

growse · 24 Jan 2007 at 15:48

jonnyc747 said:
thanks for that. is server validation just checks to ensure that the data sent is of a valid type and is stripped off all /\'" characters?

It's whatever you want it to be. If you're expecting a number and get "HELLO THERE", do nothing and send back a reply saying "errrrr.....".

Similarly, if you're expecting a valid id, and you get a correctly formatted but invalid id, you can reject that as well. Given the range and power of what you can validate on the server, I wonder why anyone seriously considers client side validation.

Beansprout · 24 Jan 2007 at 15:50

growse said:
I wonder why anyone seriously considers client side validation.

I'd rather have a Javascript alert than have an entire page refresh and probably lose some of the values I entered - password fields, for example

ringo747 · 24 Jan 2007 at 16:12

Beansprout said:
I'd rather have a Javascript alert than have an entire page refresh and probably lose some of the values I entered - password fields, for example

yeah for sure. I need to include ajax somehow in my cms so client side validation is probably the best opportunity to show it off. I could be wrong though im only a newb to thing stuff!

Thanks for the help guys.

growse · 25 Jan 2007 at 10:44

Beansprout said:
I'd rather have a Javascript alert than have an entire page refresh and probably lose some of the values I entered - password fields, for example

Ah, I should have clarified, I meant "seriously using client side validation as their only form of validation". Obviously it can be more user-friendly to do a bit of checking in JS, but ultimately it's the server that decides what is and isn't valid data

punky_munky · 25 Jan 2007 at 11:19

From a security point of view I would really concentrate on the server side of it as anything on the client side can be side stepped very easily.

If you find a decent tutorial or any easy way of dropping some AJAX into your project then please post it here, I'm working on my final year project and whilst AJAX isn't necessary it would be a nice addition but I don't have time to learn Javascript thoroughly.