#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Nobbies beach, Gold Coast. It's beautiful.
    Posts
    2,575
    Rep Power
    171

    Is it safe to validate a form with Jquery?


    Can I rely on this?

    javascript Code:
        $('#save_now').click(function () {
            var value = $('#template_name').val();
            if (value.length < 2 || value.length > 35) {
                alert('Please select a name between 2 and 35 characters for this template');
            } else {
                $("#template_form").submit();
            }
        });
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Location
    Jakarta, Indonesia.
    Posts
    184
    Rep Power
    31
    if (safe == secure && jQuery == javascript) will always return true I guess, so IMO... NO that won't be safe
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Hi,

    if you mean "safe" in the sense of: You'll never get names shorter than 2 characters or longer than 35 characters, the answer is no.

    I think there's a general misunderstanding. All your HTML and JavaScript is just data you send to the user. What they do with this data is completely up to them. They might run it in a browser, but they might as well read it their own eyes. Or they ignore your whole HTTP response.

    And even if they do run it in in a browser, that browser is under their control, not yours. They can turn off JavaScript at any time.

    So any JavaScript validation is self-validation: You're kindly asking the user to make sure their data is correct. Maybe they'll do that, maybe not. If you actually want to enforce a certain format, you need to check the incoming data on the server.

    In a nutshell:

    JavaScript validation is a pure usability feature. It helps well-meaning users to correct accidental mistakes. It does not prevent people from sending you garbage data. Also note that many people have JavaScript disabled by default, so they might not even see the error message.

    Server-side validation is a way to enforce a certain data format. It does not prevent people from lying, though.

    Most of the time, you'll want both.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo