简体繁体 English

在提交之前通过 Javascript 进行一些表单验证是否明智？

[英]Is it smart to do some form validation through Javascript before submitting?

原文 2011-07-12 22:49:31 2 9 php/ javascript/ forms

I really like the idea of validating forms client-side before doing so server-side.我真的很喜欢在服务器端验证 forms 客户端之前的想法。 If the client's validation passes, I can use Javascript to submit the form.如果客户端验证通过，我可以使用 Javascript 提交表单。

However, I have heard that some specialized browser, like browsers for the visually impaired, don't support Javascript.但是，我听说一些专门的浏览器，比如视障浏览器，不支持 Javascript。 Therefore, those users won't be able to submit my forms.因此，这些用户将无法提交我的 forms。 Should I therefore avoid what I just thought of doing, or is it alright?因此，我应该避免我刚才想做的事情，还是可以？

EDIT: (In response to answers): I guess I didn't explain that, but I was planning on doing server-side validation in addition to client-side.编辑：（回应答案）：我想我没有解释这一点，但除了客户端之外，我还计划进行服务器端验证。 Sorry!对不起！

Thanks谢谢

9 个解决方案

Javascript is a nice touch to validation. Javascript 是一个很好的验证方法。 It lets the user know right away that something is wrong, plus it minimises potential calls to the database.它让用户立即知道出了什么问题，此外它还最大限度地减少了对数据库的潜在调用。

If there are browsers out there that disable javascript for accessibility reasons, you shouldn't worry to much.如果有浏览器出于可访问性原因禁用 javascript，您不必太担心。 That's what the server-side checking helps with.这就是服务器端检查的帮助。

So you should use both, and test with javascript turned on or off.因此，您应该同时使用两者，并在打开或关闭 javascript 的情况下进行测试。 NEVER use javascript as a sole validator - you could just turn javascript off in your browser and the POST data would go through!永远不要使用 javascript 作为唯一的验证器 - 你可以在浏览器中关闭 javascript 并且 POST 数据将通过 go ！

You should do both client-side validation and server-side validation.您应该同时进行客户端验证和服务器端验证。 Everything you catch with client-side validation is an opportunity to improve the user experience for your users and tell them exactly what is missing or wrong before they submit the form.您通过客户端验证捕获的所有内容都是一个改善用户体验的机会，并在他们提交表单之前准确告诉他们缺少什么或错误什么。 If, for any reason, javascript is not enabled, you will still validate on the server (as you always should) and can return errors through the form response from the server if you have to.如果由于任何原因未启用 javascript，您仍将在服务器上进行验证（正如您一直应该做的那样），并且如果需要，可以通过服务器的表单响应返回错误。

So, it's always a good idea to use client-side validation if available.因此，如果可用，使用客户端验证总是一个好主意。

Is client-side validation smart?客户端验证聪明吗？ Yes, clean input is better for performance than input that will error out.是的，干净的输入比会出错的输入更能提高性能。

Great UX?伟大的用户体验？ Yes, it's important for a user to get quick, relevant feedback.是的，用户获得快速、相关的反馈很重要。

Safe?安全的？ No. Not at all.一点都不。 Hackers don't use your interface to hack your site.黑客不会使用您的界面来入侵您的网站。

More and more browsers can be site-selective about running JS.越来越多的浏览器可以对运行 JS 进行站点选择。

Lastly, if you are concerned about equal access, your best bet is to build accessible versions of the site.最后，如果您担心平等访问，最好的办法是构建网站的可访问版本。

Client side validation often improves user experience, as the user can immediately see whether his data is valid or not.客户端验证通常会改善用户体验，因为用户可以立即看到他的数据是否有效。

If it is some simple validation, like pattern matching or length checking for passwords, definitely do it.如果是一些简单的验证，比如模式匹配或密码长度检查，一定要这样做。 But of course it is not a substitution for server side validation, it is not a security means in any way.但当然它不是服务器端验证的替代品，无论如何它都不是一种安全手段。 Never trust user input.永远不要相信用户输入。

Integrate the client side validation in an unobtrusive way , so that form submission still works if JS is turned off.以不显眼的方式集成客户端验证，以便在关闭 JS 时表单提交仍然有效。

"Both And" is the answer. “两者兼而有之”就是答案。 Validate client side as a convenience and as a way to better the user experience, but you should always validate server side.验证客户端是为了方便和改善用户体验，但您应该始终验证服务器端。

Browsers without JavaScript won't execute the JavaScript at all, so they will still be able to submit your form.没有 JavaScript 的浏览器根本不会执行 JavaScript，因此它们仍然可以提交您的表单。 Don't worry.不用担心。

Client side validation is done by interceptin the normal submit event and return true or false based on whether the form is valid.客户端验证通过拦截正常的提交事件并根据表单是否有效返回true或false来完成。 In this way, when javascript is not enabled, the submission is not intercepted and proceeds as normal.这样，在没有启用javascript的情况下，提交不会被拦截，正常进行。

It is one of the easiest things to degrade gracefully, fortunately:)幸运的是，这是最容易优雅降级的事情之一：）

Not sure we can say it's smart to handle form "control" before submitting: this is "only" client comfort, as these controls... are just not valid from the security standpoint.不确定我们是否可以说在提交之前处理表单“控制”是明智的：这“只是”客户舒适，因为这些控制......从安全角度来看是无效的。 So this is adding coding efforts for no added value from the security prospective.因此，从安全角度来看，这是在增加编码工作而没有增加价值。 But this is adding effort for client comfort.但这增加了客户舒适度的努力。 And THIS is smart.这很聪明。

The simple way: No client-side control at all, only server side.简单的方法：根本没有客户端控制，只有服务器端。 No need that js is enabled on the client-side.不需要在客户端启用 js。
This is the point that shall be always enabled and full security valid.这是应始终启用且完全安全有效的点。

The intermediate way: Implementing the simple way and adding some javascript "controls" on top, "hand coded" or using js librairies.中间方式：实现简单的方式并在顶部添加一些javascript“控件”，“手工编码”或使用js库。 This is the fastidious way as this is adding a layer on top of the existing server core code, and generally means some server-side code changes or refactoring.这是一种挑剔的方式，因为这是在现有服务器核心代码之上添加一层，通常意味着一些服务器端代码更改或重构。 So this is the worst way according to me.所以在我看来，这是最糟糕的方式。 But this is a good way to learn and understand the client-server exchanges.但这是学习和理解客户端-服务器交换的好方法。 Painful but useful.痛苦但有用。

The best way: Base all your efforts on server-side validation but make sure, from the coding starting point, to be able to embed also the "nice to have", eg.最好的方法：将所有努力都放在服务器端验证上，但要确保从编码起点开始，也能够嵌入“很高兴拥有”，例如。 the client-side nice "controls".客户端不错的“控件”。 Which means you have to think of your code architecture before starting writing any line.这意味着您必须在开始编写任何行之前考虑您的代码架构。 How to do that?怎么做？ use Ajax coded forms on the server side.在服务器端使用 Ajax 编码 forms。 Which suggests the way of coding ideally with specific php form classes.这表明了使用特定 php 表单类的理想编码方式。 For example, ZendFramework is providing such kind of possibilities using either dojo or jQuery.例如， ZendFramework使用 dojo 或 jQuery 提供这种可能性。