HTML5: Do I need to validate a webform with both client-side AND server-side or can I just do client-side?
https://stackoverflow.com//questions/21052955
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I have a small contact form created in HTML5 with client-side validation using 'js-webshims'. This form is processed via php on the server. However, I do not have server-side validation. Only client-side validation through HTML5.
My question: Can I only do client-side validation with HTML5 and the 'js-webshims' polyfill or do I need to also do server-side validation?
Thank you.
Solução
Ideally, you will want to do validation on both sides. Client side so the user knows if what they are submitting is valid, and server side so you can process it before putting it where it needs to go.
Use this as a rule of thumb though... if it is client side, the client can change it before submission.
Outras dicas
You always need to do server side validation.
Everyone can simply make a post/get request to your server without using your form.
Never trust input from any source. Always validate server side.
First rule: Never trust any data!
Second: Anything on the clientside can be simply tricked.
Third: Do not trust any rule, which uses expressions like absolutley mandatory, always or never. (Yes, this is equal and an antagonism to the first rule at the same time)
(Please do never ever follow blindly rules in your life!!!)
It depends on what you need and what you want to achieve. Clientside validation minmizes bad input made by real users and helps the owner of the site to minimize wrong data in his database. But it does not prevent, a programm to submit malformed and/or abusive data. To prevent SQL injections or similiar attacks you need some kind of server side validation. But also a serverside syntax validation doesn't prevent a user or programm to submit wrong data with the right syntax.
So if syntax validation is a security issue serverside validation is needed.
Note: I don't really like my answer and upvoted Justin E's one. But all other answers are a little bit biased. Hope someone else hits the nail. :-D
Server side validation is absolutely mandatory. Client side is more of a convenience feature / improved UX for the user.
Always use server side validation. front end validation is easy to disable, and someone could send data without your form to get bad data in you application (ajax, curl....).
Front end validation is only good for usability.
