In my signup page, I do validation using both JavaScript and PHP.
However, people can see my JavaScript validation functions by viewing the source of the web page. It contains input fields names, ids etc.
So, is it safe that anybody can see them ?
Client side validation is NOT secure because it can easily be hacked. It is for user convenience only. For example, in response to client-side validation, the user can fix mistakes before the form is submitted. That saves the user time, and they appreciate your site.
While client-side validation is faster and favors user experience, it should not be used in isolation because client-side validation relies on the browser (which can be tricked). Client-side validation should always be used along with server-side validation as the latter is more reliable.
Data validation is the process of ensuring that user input is clean, correct, and useful. Typical validation tasks are: has the user filled in all required fields? has the user entered a valid date? has the user entered text in a numeric field?
When you enter data, the browser and/or the web server will check to see that the data is in the correct format and within the constraints set by the application. Validation done in the browser is called client-side validation, while validation done on the server is called server-side validation.
The validation functions you've quoted don't reveal any information that it seems like you need to keep secret (quite the opposite, actually, telling people what is and isn't required is useful and could make its way to the UI). So they're "safe" in that they don't reveal anything confidential.
If you have validation functions that use information or techniques that you want to keep secret, you'll need to move them to the server, as they wouldn't be "safe" as they'd be revealing confidential information.
You can make it harder for people to understand your client-side validation functions by using an aggressive minifier/obfuscator, such as Google Closure Compiler in advanced mode. But you can't make it impossible: If the browser can read the code, people using the browser can read the code.
And just because we're talking about client-side validation, the usual warning: Even though you're validating client-side, you still have to validate server-side. Users can bypass your client-side code and send in invalid information.
It is safe since your code is reflecting the actions on your page. When you define a max length on your code, you show that to your users by providing some UI and messages. Nothing secretive here, so that's ok.
Also, when you move to production from development, you should consider minifying and obfuscating your javascript code to hide your sensitive code from praying eyes. That way you save on bandwith, and add an extra layer of security for your application.
The JavaScript validation part is not really that much of a security concern because users cant modify or misuse anything if they get pass it but it's the PHP validation that you should be careful with as if compromised, can allow a user to access your database (if your form is linked with your db of course).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With