--- Peter Vertes <[EMAIL PROTECTED]> wrote: > Just to play devil's advocate; why would you validate data on the > server if you have a JavaScript that checked the user's input before > it gets submitted to the server? I mean the whole point of you having > that JavaScript is to make sure the the correct data gets entered so > why bother checking it once again on the server-side with PHP? > Wouldn't that be redundant and a waste of resources?
The redundancy is in performing client-side validation, because you should never consider server-side validation as optional. Aside from the obvious fact that people can (and should be able to) turn off any client-side scripting, an attacker can do things far more sophisticated, to the point of writing a specialized Web client specifically to attack your site. When you receive a POST request, it will look something similar to this: POST /path/to/script.php HTTP/1.1 Host: example.org Content-Type: application/x-www-form-urlencoded Content-Length: 35 Connection: close first_name=chris&last_name=shiflett That's it. This may have resulted from the user submitting the following HTML form: <form action="http://example.org/path/to/script.php"; method="post"> <input type="text" name="first_name" /> <input type="text" name="last_name" /> <input type="submit" /> </form> You really can't tell what form was used on the receiving site, right? In fact, you can't even be sure that the user used a form at all. As an example, people ask on this list about performing a POST with PHP at least once a week. PHP doesn't need to use an HTML form for this; it just sends a request similar to the above (see http://shiflett.org/hacks/php/http_post for an example). The point is that the client decides what it sends, not you. If you want to think about security, you have to get rid of the assumption that your users will all use your site exactly as you intend. As I mentioned before, client-side checking is basically like saying, "User, can you please send me a username only if it is less than 10 characters in length and alphanumeric only?" Someone attacking your site is not going to abide by your requests. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
