> So.. what does everyone on this list do? Use JS and AJAX? > Not use JS and AJAX? Constantly build JS-enabled/JS-disabled > redundant apps and sites? Use JS and AJAX only where it > failure doesn't matter?
I start from a good solid server-side validation viewpoint. Make sure it works and is stable. Then, if there is a user interface issue that can be made easier if JS is available I will implement it. That way, if it isn't there, it falls back to the default HTML behaviour and isn't so slick but it *works* and is as secure as it always was because I validate on the server side too... These days, it's all to easy for me (or anyone else) to "disable Javascript" in Firefox. With IE, the settings are slightly more buried but it's still not rocket science... The thing is if someone were to try to hack your sites, downloading and analysing the JS is too much trouble when you can just turn it off and effectively bypass it... Also, think about those hackers that don't use your forms to submit to your site... Instead, they craft a form themselves for their illicit purpose. They have no JS, just a form submission tool that can craft malicious content. If someone were to submit malicious content to your form handlers what would the handlers do? In terms of implementation of validation, server-side first and last and always, client-side second and optional. NB.. If you spot a reference to a song in here... It's completely intentional! Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275540 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
