Should I re-validate form inputs in php that are already validated in javascript

Question

I understand that javascript validations only serve a purpose for the client side and to keep vulnerabilities out of the server side and I need to validate the security of the inputs in php.

I have already validated what types of inputs a user can input in the form from the client side (using javascript) like the following example:

if(/^([\w-]+(?:\.[\w-]+)*)@((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i.test(document.getElementById(idName).value)){
    return true;
}else{
    return false;
}

And I have already tested done the following tests on the form inputs in php:

$fname = $lname = $saddress = $city = $state = $zip = $email = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $fname = test_input($_POST["fname"]);
    $lname = test_input($_POST["lname"]);
    $saddress = test_input($_POST["saddress"]);
    $city = test_input($_POST["city"]);
    $state = test_input($_POST["state"]);
    $zip = test_input($_POST["zip"]);
    $email = test_input($_POST["email"]);
}

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

Do I need to also re-validate using regex what type of inputs a user is able to input in the form AGAIN in the php? Or using htmlentities is sufficient on the server side while using regex validations on the client side?

Any information is much appreciated!

Thanks, Al

Answer 1

Always validate everything in the server side. Since everybody can change your javascript client code through the browser using tools like Findbugs, or Chrome tools, it isn't secure to validate only in Javascript.

What you validates at the client side is only to give a better experience to the user.

Answer 2

What you need to be considering is fall back - what if the user turns off JavaScript? I have had occasions where I have provided a neat piece of Jquery to resolve an issue - only for it to not function for intermittent clients.

You should always sanitize form inputs coming in on the server side. Otherwise you could easily leave yourself open to vulnerabilities.

PHP's filter functions can help you with filtering / sanitizing input: http://php.net/manual/en/book.filter.php

As for regex - consider if you need to on the server side, it has a high overhead that you might not need - as long as you are sanitizing the input and handling all possible errors.

Answer 3

You should always validate inputs on the server side regardless of what validations you have on the client side. The user can technically send anything to your server and do some SQL injections or otherwise send bad or unallowed data.

Use javascript only to help the user fill in the right things (like, immediately notifying them if they have entered an invalid email address).

Answer 4

Yes you must done server side validations. you cannot trust JavaScript validations. Because javascript is run within the browser. So user will get control over it. Also javascript can be disabled on browsers. In such cases it will skip validations. A simple example i have seen many people use something like this

 <form  name='frm' onSubmit='return validate();'>

With an inspection tool it is possible to change this to

<form name='frm'>

Then it will skip the client side validations.

It will take bit more time for (client + server) validations. but still when you consider security it doesn't matter.

Answer 5

正如其他答案中所提到的，用户可以轻松绕过JS验证并直接发布到服务器，只要在服务器端验证表单，它将为您节省一些代码，但同时您需要备用更多服务器资源。

Answer 6

Yes you use server side validation to validate input also. Please tell me which field you want to validate on server.