Comments on: Do not use javascript for validations

By: Dan

Dan — Mon, 01 Dec 2008 14:45:48 +0000

@defaultCharacter Unfortunately, I could'nt give you links to article about server-side validations because there are hundreds of ways of doing that. Maybe you could take a look at Ruby On Rails and its validation module.

By: defaultCharacter

defaultCharacter — Sat, 29 Nov 2008 19:36:42 +0000

Hey all!

Thanks for providing me more clues on how to keep spam from getting sent through my web site form. It was a little freaky seeing how easy it was to input whatever and send to my server using Craig Francis’ tool!

Okay. So you’ve all made your point. Now I have a question (from a relatively green person): How can I do server-side validation? Any samples or articles? Obviously, I’m going to be googling this later, but if you have any comments, that would be GREATLY appreciated.

By: Dan

Dan — Thu, 24 May 2007 13:25:57 +0000

@Rick and Nater
I know it should have been “Do not rely…” but the problem is that title has low-impact. I’ve seen a lot of people using javascript as the only validation and I wanted to catch these people.

So, I won’t change the title and I hope that they will understand what I mean.

By: BK

BK — Thu, 24 May 2007 13:08:41 +0000

Subtilities of the language!

By: Rick Fletcher

Rick Fletcher — Thu, 24 May 2007 05:49:06 +0000

I’m with Nater, completely. Your headline shout have read “Do not rely on javascript…” instead of “Do not use javascript…”

By: Nater Kane

Nater Kane — Fri, 18 May 2007 20:18:11 +0000

The idea of client-side validation being secure is something that isn’t even worth discussing…
the benefits of the double check are very simple and with many common/popular server-side languages, the logic for front and back end should be very similar.
1) if the user fails clientside validation, you save having to make a round trip to the server, and the user may be shown a descriptive and contextual error/response message so they may correct the non-valid data. if they pass clientside validation, only then the data is passed to the server for the second validation.
2) isn’t that good enough of a reason? a quality and humane user experience should come a close second to application security.

By: Do not use Javascript for validation - Ej.am Forums

Do not use Javascript for validation - Ej.am Forums — Sat, 28 Apr 2007 14:02:00 +0000

[...] no doubt, and I use it heavily. But the following article has given me a lot to think about. Do not use javascript for validations | Javascript Kata Please share your [...]

By: All in a days work…

All in a days work… — Fri, 27 Apr 2007 11:24:08 +0000

[...] Do not use javascript for validations Javascript is not secure. Your code is readable and it can be modified by anyone. It is great when you want to do a bookmarklet. It is not so great when you want to have a hard as a rock web application. (tags: JavaScript Date/Time) [...]

By: BK

BK — Thu, 26 Apr 2007 21:43:53 +0000

If you want a real world example, simply look here:
http://www.boingboing.net/2005/07/28/microsoft_genuine_ad.html

By: Dan

Dan — Thu, 26 Apr 2007 17:39:39 +0000

@Timo
When I say that Javascript is not secure, I really mean it. Remember the validateDate() function in the post? To bypass it, anyone could write this in the address bar of their browser :

javascript:validateDate = function(theDate) { return true; }

and it the function would be overwritten to always return true.

That’s what I mean when I say that it’s not secure.