Javascript or PHP validation?

ATLien · 04-23-2006, 09:20 PM

I am doing some form validation on my new site, and so far I have done php validation, but I was thinking of doing javascript to save the load time that comes with the php validation.

Do you think javascript form validation is enought, or would you suggest I do both just incase users disable javascript?

JamieJelly · 04-24-2006, 03:24 AM

what kind of form fields are you validating?

You could use some DOM scripting and validate on the fly for fields such as valid telephone numbers, post (zip) codes, email addresses which would really be the most useful of javascript implementations, coupled with PHP validation for those with js disabled or unavailable.

kyleposey · 04-24-2006, 06:53 AM

Unless you are doing some really complex PHP coding, or doing some File I/O, there shouldn't be any load time difference.

However, not having any server-side validation will open you up to automatic bot submissions, and user errors for users that disable javascript.

ATLien · 04-24-2006, 10:06 AM

As of right now, I have a form with image verification for bot prevention, and php server side validation. I am going to add javascript verification to make the validation alittle more understandable for the non computer savy users.

kyleposey · 04-24-2006, 11:35 AM

Why not just display the error messages with PHP? Then the user can see the error messages and take them into consideration while they are filling out the form.

**LazyJim** · 04-24-2006, 12:01 PM

I use JS but still have PHP backup

Need JS?
JS enables validation-as-you-type and other tricks with the potential to enhance the user experience. However you must be careful to ensure you only help and don't hinder!

Need PHP?
It depends how important the validation step is - as in what are the consequences of invalid or malicious data entry?
In most cases PHP validation will be required, you can incorporate this into any data processing steps you have in the PHP page if you think it will help speed it up.
Don't be tempted to use generic error messages, be as helpful as possible.

So in summary
In terms of power and flexibility, JavaScript has the best potential for helping users fill in forms (correctly). But PHP verification is usually required regardless
Remember any 'hacker' could POST any name=value data to any script, it's not limited to the form input elements and you can't rely on disabled/hidden input elements not being modified either.

veridicus · 04-25-2006, 01:26 PM

You need to use PHP validation if you want to ensure good input data. It's the only way to properly validate.

You can use JS validation for usability. For example, you can check password length right after the user types it in for a quick message. But you still need to check the input in PHP because bots and others can easily bypass the JS.

kyleposey · 04-26-2006, 06:40 AM

(you guys forgot that he has image verification to thwart off bots...but good points nonetheless)

ATLien · 04-26-2006, 09:56 AM

I think I am just going to go full up with both php and javascript. I am also looking into some Ajax verification tools too. So we will see how it goes.

MrMean · 04-28-2006, 02:44 AM

Although I should practice what I preech I would recommend using both. Several reasons for this.

The benifit of JS validation is its "on the page" therefore it does save the user pressing the dreaded back button and loosing what they've just typed out, in most cases anyway.

However using JS alone is a security risk to your website. You don't want people posting any & everything surely! It would be easy to flood submissions without PHP Authentication.

kyleposey · 04-28-2006, 06:31 AM

In an elegant PHP solution, the user never has to hit the back button, is displayed helpful error messages, and has the form pre-filled with the previously submitted values.

ATLien · 04-28-2006, 01:23 PM

That is how I do it. I list the errors on the form, with with the submitted data already filled in excluding the password, I unset that.

Lev · 04-28-2006, 09:01 PM

I think PHP validation is really best because some people have javascript disabled. If you are doing something fairly complex, then you can use both.

kenkam · 05-20-2006, 10:02 PM

I agree with LazyJim.

If you had JS on your site I could disable it on my browser and happily POST to your application.

JS is there to help the user. It is intended to give the client a richer interface. Some nice pointers to make it more user-friendly. You definately should not use it for validation if it is anything slightly more than trivial. PHP validations makes sure that it is probably done. There's no client-side validation that is secure. It is all server-side that does the best work in validation.

Summary - if the data more than trivial - use server side validation (PHP)

explicitzone.com · 01-20-2007, 10:34 PM

Izzmo · 01-22-2007, 01:44 PM

Both, it is always good to be using both, just in case one doesn't work.

With most Ajax applications, if the user has disabled Javascript, then sometimes the PHP script will not work properly. That's the only problem I have, but then again, I just use them both whether the user has JS enabled or not.

Paul M · 01-22-2007, 01:52 PM

You must do php validation on the server side, whether you use JS as well on the clientside is personal choice. Relying on clientside validation only would be asking for serious trouble.

Izzmo · 01-24-2007, 12:53 PM

Ahh.. you make some good points Paul

w00t - You are over 100 posts (finally)

gastongr · 01-24-2007, 05:11 PM

JavaScript is good to speed up the process but it should always be backed with server side validation as it's easy to bypass.