2

is there an easy way to check if a user bypassed the client-side input validation? Thought about this as a security measure to ban everybody trying to bypass validation. However every solution i came up with during the last days (e.g. storing input-parameters in objects or as arrays) turned out really overcomplicated and confusing.

So before I go insane trying to find a clean solution I decided to ask for some help since I'm pretty new to PHP. Maybe it's pointless to do so anyways.

yoxovaw
  • 21
  • 1
  • 3
    I would never trust data to be validated from the client. All my forms have some validation with JS/AJAX for user convenience but everything is fully validated in PHP when submitted. – mikeroq Nov 26 '20 at 22:22
  • 1
    You could create server-side validation AS WELL, and anyone who fails the server-side validation has probably done so because they circumvented client-side validation. But, if you ban people based on this, this may result in unfair bans - for example if your end user is using a browser which doesn't support whatever client-side validation you've added (old browsers vs `required` attribute for example) – rjbathgate Nov 26 '20 at 22:29
  • PS see client-side validation as a benefit to the user's experience; it helps them complete the inputs are required. Then see server-side validation as for you, to ensure the data is what you need. The latter is the most important as client-side is just UI really. So you would definitely do server-side validation and then client-side if you're feeling friendly to your users. – rjbathgate Nov 26 '20 at 22:30
  • 1
    _Never_ assume that you have _any_ level of control over _anything_ that happens on a client machine. – Sammitch Nov 26 '20 at 22:33

2 Answers2

0

As others have said, do validation in both JS and PHP. All my forms have both. That is the only way to go.

CharlesEF
  • 546
  • 1
  • 14
  • 24
-2

The Security preventing csrf in php help you (relatively) be sure client you sent form is the one awsering

Then when you find some errors that shouldn't happen during server side validation you log the user ID for futher action.

gilbert winiga
  • 11
  • 1