If I have a form, say a simple contact me form with inputs for name, email, message, etc. And I have the form set to submit using Ajax after the JavaScript validation has returned true on all inputs.
Do I still need to validate the inputs using PHP? If JavaScript is turned off, how could the form still submit? And if the form can't submit because the JavaScript is off, how could that cause any harm?
Of course you need server-side validation! :-)
It's always needed.
Just install this add-on: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/.
It lets you freely modify what goes to the server.
Also, Firebug lets you modify what the browser sees, therefore submits to the server.
Here is an analogy: banks have locks on their safes. But they also have security cameras, and alarm systems, in case the locks fail to stop someone from stealing.
EDIT:
If you are using a contact form (and the script automatically email the person contacting), keep in mind that someone could make your script send 1000's of spam messages, simply by adding addresses to the email field.
To avoid this, you need to do server-side validation. You simply cannot rely on client-side validation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With