So is it safe to validate form on client-side only?

Question

Of course, I know that server-side validation is a MUST.

I'm using jQuery to validate form inputs and using jquery ajax to do server-side(PHP) validation at the same time. So I guess it may be safe since it's validating for both sides while javascript is enabled.

Well, here is my problem...

But what if the user has javascript disabled on his browser and if some bad guys try to do something bad from editing my client-side script?

Because i'm making server-side validation through jquery ajax, and i'm planning not to validate them directly in php script(action="some.php") even user's javascript is enabled.

So... does it is still safe?

Sorry for my bad english, hope you don't mind.

Answer 1

No, it is not safe. You should always validate your data on the server side, after the form has been submitted. Client-side validation and AJAX validation before submitting the form are only enhancing the user experience, by providing quicker feedback on invalid data. Both client-side validation and AJAX pre-submit validation do not and can not protect you from a maliciously crafted form submission. Attackers and abusers usually don't even use a browser in order to submit data to your server.

Answer 2

My rules are fairly simple...

1. If you care about your data, then you must validate on the server.
2. If you care about your user experience, then you must validate on the client.