Server side validation..display the messages or not

designtrooper · February 26, 2015, 4:28pm

I have written a series of validation checks in the backend.
My question is if the errors produced must be sent to the client…let me explain.

My app works only with javascript enabled…it the user has not enabled the app will not work and no data will reach the server from the client…of course client side validation has been implemented which a legit user will not try to bypass…which leads us to the second case.

I hacker tries to bypass client-side validation…and server side validation errors are triggered.
Is there a point informing the hacker about these errors…or should I just log them?

Pepster · February 26, 2015, 6:39pm

It doesn’t mean you’re getting a hack if a person is registering with JavaScript disabled. There may be valid reasons for JavaScript to be disabled, for example some businesses don’t like JavaScript so they disable it or a person with a disability might have it easier if JS is disabled. I’m in the process of writing a registration script where the validation works with or without JavaScript and it’s output the appropriate messages to the user if something fails validation. Graceful Degradation. I also wouldn’t 100 percent trust JavaScript validation for the very reason it can be bypassed.

felgall · February 26, 2015, 8:49pm

Cline tside validation is purely for the convenience of the user - allowing them to fix errors before submitting. There are all soerts of legitimate reasons why they might have it turned off.

Server side validation is THE validation for the form - it should ALWAYS provide error messages where the inputs are invalid as how else is the user expected to know what they typed in wrong… You should start by disregarding whether the JavaScript validation has run or not as at least some of your legitimate users will have it turned off.

As an example - to use this forum I sometimes have to turn JavaScript off and on in mid post as the JavaScript the forum uses doesn’t function properly in all browsers.

mikey_w · February 27, 2015, 4:09pm

What felgall said!

Valid question, but it’s all about server-side validation.

Don’t cut corners.

If there is an error on the server side, communicate that to the user - friend or foe.

designtrooper · March 9, 2015, 5:24pm

I want to mention one last thing…there is a category of errors related to prepared statements:

if($stmt->errno!==0)
         {printf("Error-execution failed : %s.\n", $stmt->error);
          return  false;
         }

The above code is triggered when the execution part of the prepared statement fails…so my question is how the client(js) can detect such an error?

I cannot json_encode the above code…
What code must reside in JS to detect the above?

The message that might come from the server might be this:

b>Warning</b>:  mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in <b>C:\Apache24\htdocs\Appointments\Administrator\admin_db_code.php</b> on line <b>246</b><br />
Error-execution failed : No data supplied for parameters in prepared statement.

What conditional must I code in the client to detect such an error…

I hope I was clear.

system · June 9, 2015, 12:38am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.