Hi all,
Ive just realised that from somebody checking out my new portfolio website and managing to submit an empty contact form, the contact form has Javascript active, and will throw up an alert if the name category has not been completed on clicking the submit button. I completely forgot to consider the fact that when JS is disabled in the browser the form can still be submitted completely empty, so my question is the obvious one, how do I stop the form from getting sent if JS is also disabled ?
Even if javascript is enabled, you still must do server side validation to protect your data and its integrity.
Someone can easily just view the html source and get the url of the form processing script from the form’s action attribute. They can then send whatever data they like to the form processing script, as a GET or POST, without even opening the page containing the html form.
Bottom line: always do server side validation. Client side validation (javascript) is optional.
Any form validation done using JavaScript is there only for the convenience of the person filling out the form so as to save them having to wait until they submit the form to find out they entered everything wrong.
The real validation of the form always needs to be done on the server as if you don’t validate the data when you first receive it on the server you have no way of telling what it contains (as it need not have even come from your form).
You need to run the validation in your php code as well. If it does not validate, let the user know just like you do with the redirect to the thanks page.
Hi guys,
Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )
/*Redirects the user to the error page if JS is disabled and the form is submitted*/
if(empty($firstname))
{
header('Location: error.html');
exit();
}else
{
/* Redirects the visitor to the thanks page */
header('Location: thanks.htm');
exit();
}
What if something other than the first name is missed out?
Server-side validation MUST be mandatory, and client-side validation SHOULD be used too.
First and foremost has to be the server-side PHP validation. Without that, people can cause any strange types of things to happen with your server-server-side script.
Nothing can stop all spam or abuse, but you can make it more difficult for automatic abuse to occur.
At a minimum, you should ensure that required values are present, and that values are within range of how they’re going to be stored. That means that the inputs need to be sanitized, and then validated. You can read more about this side of things in the PHP tips article about Handling Input and Output
To deal with spammers, there are some easy Captcha’s (Completely Automatic Public Turing test to tell Computers and Humans Apart)
One of my favorites is reCaptcha
I must admit Im not a fan of reCaptcha as I do sometimes struggle to read the words you have to type in whenever I come across these on sites.
From that I try to put myself in the shoes of an everyday user, who probably wouldnt stick around to submit a form and move on to the next site.
Going slightly off topic, I know from previous posts you have replied to, you are abit of a whizz with the old Palavascript :-), so can you possibly recommend any upto date books for beginners on JS and or PHP, I have bought the latest JavaScript and Ajax for dummies by Andy harris, but I need more ?
Another layer of protection you can use is an API that checks through all the currently logged spams and bots in the world which is updated daily, a friend and I made a mod for this and so far it has proven to be a 100% success against fighting spammers and bots.
Cheers to Sgtlegend for the link, do you want all my blocked email address`s from my hotmail account, must have close on 700
Also thankyou to Paul for the book links, will definately make sure I got through them all and blow some hard earned cash.
This question kind of goes to anybody and everybody, should I tackle Javascript and get that under my belt before I start on PHP ? or, should I do both at the same time, will the one help me to undertand the other ?
Im in a need to grasp the basics of both as quickly as possible.
You would be better off learning about PHP first. When it comes to computer security, server-side security is vitally important, compared with JavaScript which is primarily for providing an improved experience for the user.
There’s no point focusing on JavaScript first if you’ve left the server insecure and wide open to exploitation. So my advice is PHP first, and then JavaScript.
Even better might be to employ someone to do parts of the job for you who already knows about what dangers to protect against, but that’s a different topic.
Since in this case you have an instant need for server side processing, I agree with paul wilkins and you should tackle learning php first since javascript validation is optional, but obviously advisable from ux point of view.
But if you were learning website development without a particular project to work on at the same time then I would suggest learning javascript first before php in order to make your web pages interactive and/or functional without having to submit data or to actually redirect to another url. Then when you have a reasonable grasp of html, css and javascript, you could tackle learning php.
