Would submitting a form using Ajax be secure?

Question

So I have my form built in html and validated in JS and it does and looks the way I want. Now obviously I will be validating the input using PHP on the server side but I'm wondering if it would be secure enough to submit the form using Ajax and then validating on the server side, instead of submitting the form using a 'submit' type button and an 'action' attribute. Basically, is it safe to make server side validation dependent on the JS submitting it?

Here is my form:

<form name="contactForm" id="contactForm"><!-- The form has no action attribute because its submitted via Ajax -->
<div id="inputsWrapper">
    <div>
        <label for="fullName">Your Name: <span class="required">(required)</span></label>
        <input type="text" name="fullName" id="fullName" title="First &amp; last name" value="First &amp; last name" maxlength="50" />
    </div>
    <div>
        <label for="email">Your E-mail: <span class="required">(required)</span></label>
        <input type="text" name="email" id="email" title="E-mail address" value="E-mail address" maxlength="500" />
    </div>
    <div>
        <label for="subject">In Regards To: <span class="required">(required)</span></label>
        <input type="text" name="subject" id="subject" title="Subject" value="Subject" maxlength="50"/>
    </div>
    <div>
        <label for="message">Your Message: <span class="required">(required)</span></label>
        <textarea name="message" id="message" title="Enter your message here" cols="40" rows="10">Enter your message here</textarea>
    </div>
</div> <!-- End inputsWrapper -->
<input type="button" name="sendBtn" id="sendBtn" value="Send Message" /><!-- This button has a listener assigned to it in JS and submits the form on click -->

Once the button is clicked, the Ajax will submit the form via POST to my PHP script and either come back valid or not. Would this be a safe way of doing this or not? Thank you for any advice.

Answer 1

I'm wondering if it would be secure enough to submit the form using Ajax and then validating on the server side, instead of submitting the form using a 'submit' type button and an 'action' attribute.

Yes. Input from outside the system is input from outside the system.

Basically, is it safe to make server side validation dependent on the JS submitting it?

Your JavaScript should be unobtrusive and implement progressive enhancement.

The input to the script should be the same no matter if it came from a regular form submission of with Ajax (which is trivially easy if you use something like jQuery's serialize), so there you shouldn't need to make the server depend on the JS for the response.

The only difference in how a form submission and an Ajax request is handled should be the formatting of the response.

Either way, the data coming into the system is ultimately under the control of the submitter so you need to perform suitable sanity checking and escaping of it either way.

Answer 2

Posting it through Ajax or through the browsers default form posting behaviour will not make a difference from a security perspective. The requests will both be regular HTTP POST/GET requests.