Page 1 of 1

Form Validation

Posted: Wed Jul 27, 2005 3:36 am
by Ree
which form validation method do you prefer - PHP or Javascript? both have cons and pros, but which do you use?

Posted: Wed Jul 27, 2005 4:08 am
by paulng
I prefer JavaScript as it is done on the client and reduces the work that the server has to do. But PHP would be more secure in terms of not revealing information such as email addresses on the web. 8)

Posted: Wed Jul 27, 2005 4:09 am
by bokehman
Javascript is client side. This means super fast validation and that the form will definately be valid when submitted. PHP validation is done on the server so It will validate input which was not validated because the client had javascript disabled. It also has the advantage of being able to use certain resources like MySQL and others.

Lastly even if you are successfully using javascript for validation you must still validate with PHP for security reasons.

What I don't like is when people do javascript validation with tacky pop up alerts. Personally I would use a hidden div. Then at least it is part of the page.

Posted: Wed Jul 27, 2005 4:13 am
by paulng
bokehman... well explained!! and I agree about the pop up alerts :)

Posted: Wed Jul 27, 2005 6:11 am
by Ree
What I don't like is when people do javascript validation with tacky pop up alerts. Personally I would use a hidden div. Then at least it is part of the page.
just could you please explain this part? you don't like popup messages telling 'Email address is invalid'? why? also, how do you use that div?

Posted: Wed Jul 27, 2005 6:26 am
by bokehman
Ok Ree! I hate pop up messages because it makes me feel like the webserver is controlling my browser and I am not the one in control. Have a look at my email validation test page. Enter an email address and then jump to the next cell. It checks the email address (onblur) but without a pop up alert. Try it to see what I mean but remember this is only a test so the layout is very basic.

Posted: Wed Jul 27, 2005 7:52 am
by Ree
yeah now i see, nice stuff you did on that email validation.

Posted: Wed Jul 27, 2005 8:32 am
by nielsene
As already posted, you ALWAYS have to do server-side validation.
1. Users may have JavaScript turned off
2. Malicious attackers could be directly feeding your server bad data, etc.

The number one rule of defensive web-programming: Never Trust the User! (Or things under his/her control.)

After you have your server-side validation working properly, if you can add on a client side one, that will help responsiveness concerns and is therefore a good thing, just don't rely on it.