Monday, July 9, 2012

Form Validation, double check always!!


Validation is one of the most important tasks while creating any form on a web site. Almost every website you visit you will find at least one form. As JavaScript is now a days supported by all browsers and many websites rely on the JavaScript completely and does not work if JavaScript is not supported. Also as the browsers evolved, they started offering various developer friendly tools with their browsers such as Google Chrome provides a console where you can execute JavaScript.
Now the important question is when you have a form on your website you should always have both Client side form validation as well as server side validation.
Now many people think why do we require server side validation??
1. Well because even though JavaScript is supported by all browsers, people forget that browsers also provide various developer friendly tools using which we can change the entire JavaScript code. Let's say, I just change validation function to return true in all the cases.. Your application will throw an error in this case because you don't have server side validation and it might show some exception information with some internal application code!!
2. In other case I fill form with all the required and valid values and use some tool such as Burp to interfere with the request which is being sent to server and replace the valid values with malicious values, then also your application will fail, right?

Why this post, well yesterday itself I found a website where on a form with simple JavaScript function change I got the entire data maintained by the website, Also one of my friend told me his Manager said to him that do not apply server side validation as its not stated in requirement document!!

4 comments:

  1. Yeah its always good to have server side validation as well. Wondering if i edit some JS code using console but it won't affect my validation. So is there any tool so that i can get what u exactly mentioned at point 1.

    ReplyDelete
  2. If you press F12 in Google Chrome you will get a console where you can change Javascript functions. Firebug is one of the well known developer tools for Firefox. Internet explorer also provides you a console(press F12 there also).

    ReplyDelete
  3. Yeah its okay but it makes no matter even if i edit JS snippet. My JS function works perfectly.

    ReplyDelete
  4. Well using this console you can change the entire function itself, which will not validate the fields and will submit the form!!
    Try using JavaScript console to change function behavior.

    ReplyDelete

Ads Inside Post