This is not arguable: never rely just on client validation.
Let me say it again: never EVER rely on client validation, or trust data
sent from client. POST data can be easily manipulated at client level.
Javascript should be used always as a enhancement.
Also, be very conscious of what you are doing when using *
$this->Model->save($this->request->data).*
For example, lets say you have a site with a user registration form. in
your view you would have:
echo $this->Form->create('User');
echo $this->Form->input('name');
echo $this->Form->input('email');
echo $this->Form->end('Submit');
In the controller you would be tempted to just have:
$this->User->save($this->request->data);
Please be careful with this. If users table has other fields like
'is_admin', 'has_paid', 'role', etc... this could be a HUGE security
issue! A malicious user could manipulate the POST data before sending it to
add *data[User][admin]=1* or *data[User][role]=admin*
You should use:
$this->User->create();
$this->User->set('name', $this->request->data['User']['name']);
$this->User->set('email', $this->request->data['User']['email']);
$this->User->save();
Or better (and cleaner):
$this->User->save($this->request->data, true, array('name','email'));
On Friday, August 16, 2013 3:15:36 PM UTC+2, Jeremy Burns wrote:
>
> I still view jQuery as progressive enhancement. Even if it is mostly on it
> can still be turned off, which would - if you relied only on client side
> code - skip your validation. You also never know how your site will be
> accessed; what if (remote, I know) you wanted to open it up as a web
> service or API? Then you'd need to load up your validation anyone. Just my
> 2c.
>
> Jeremy Burns
> Class Outfit
>
> http://www.classoutfit.com
>
> On 16 Aug 2013, at 12:32:29, [email protected] <javascript:>wrote:
>
> I wanted to get some opinions on this. Cake's validation structure is easy
> to apply and works flawlessly (so far, wink,wink). But I've also written
> some data validation with jQuery which is activated at the client side.
>
> Is there still a need to validate at the server if most browsers support
> javascript? Do some of you leave off the server side validation in lieu of
> client side? How's that HTML5 data validation working for you?
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected]<javascript:>
> .
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
