Re: [WSG] an accessible question: server-side vs client-side validation
Hi Tee, What John is saying is that AJAX is JavaScript yes, but it can also make calls to the server (using the XMLHttpRequest object) thus it validates using server-side technologies such as PHP. But what is misleading is that validation using AJAX can be disabled quite easily simply by disabling JavaScript rendering a nice big security hole. That is where the true server-side validation must double-check. Actually, as Mike said you can and should use both. Server-side validation makes the user wait, so using JavaScript is a good thing as it is reactive and keeps the user informed as to what is going on. If you are interested, I wrote a small JS library that may be of use to you. It is a plug'n'play like JS file to automagically validate basic forms which is totally unobtrusive and promotes separation of concerns. To add extra fancy AJAX stuff is a matter of overriding a class and implementing your specific needs. I've still got a bit of work to do on it, but you can certainly get an idea. The url is: http://www.onegeek.com.au/articles/programming/javascript-form-validation.php I'd be happy to help you if you need, just shoot us through an email. Cheers, Matt On 2/12/08, Mordechai Peller [EMAIL PROTECTED] wrote: tee wrote: Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti-spam; I suppose I can turn off the server-side validation if client-side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. As important as accessibility is, there is an issues many times more important which is relevant to your question: security. Unless you implement sever-side validation (either in addition to client-side, or instead of), neither yours, nor your visitors data is safe. For example, via SQL injection your database can become an open book to a cracker. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [OBORONA-SPAM] Re: [WSG] an accessible question: server-side vs client-side validation
Why client-side *VS* server side? Why *versus*? They must work together. 1. We cannot dismiss server-side validation for security reasons. So, server-side validaion should stay. 2. Client-side script is usable. It checks the form before submission, saves user's time and improves user experience. Example here: http://blog.micromarketing.ru/contacts/ (In Russian, but I hope you'll find the form :) ) And, I believe, client-side validation decreases server load. It decreases the quantity of invalid forms submitted by users. If the form is valid, server doesn't have to handle errors, send error-page, etc. --- Regards, Alexey Novikov http://studiomade.ru *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
Hi Matt, thank you very much! Your JS library looks very interesting and I certainly will play with it. I see that the radio group has not been implemented, is this something coming out soon? The web form has radio buttons with multi-selection options. Cheers, tee On Feb 12, 2008, at 2:12 AM, Matt Fellows wrote: Hi Tee, What John is saying is that AJAX is JavaScript yes, but it can also make calls to the server (using the XMLHttpRequest object) thus it validates using server-side technologies such as PHP. But what is misleading is that validation using AJAX can be disabled quite easily simply by disabling JavaScript rendering a nice big security hole. That is where the true server-side validation must double-check. If you are interested, I wrote a small JS library that may be of use to you. It is a plug'n'play like JS file to automagically validate basic forms which is totally unobtrusive and promotes separation of concerns. To add extra fancy AJAX stuff is a matter of overriding a class and implementing your specific needs. I've still got a bit of work to do on it, but you can certainly get an idea. The url is: http://www.onegeek.com.au/articles/programming/javascript-form-validation.php I'd be happy to help you if you need, just shoot us through an email. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
RE: [WSG] an accessible question: server-side vs client-side validation
+1 on this. I am no l33t h4x0r (by any stretch of the imagination), but even I know I can easily circumvent client-side validation for nefarious purposes in at least the following ways: 1. save the form onto my drive, remove all js and submit the form to your server url with pretty much any data I like in it 2. switch off javascript and mash that submit button Web apps should be built to work first without JS, and then the js behaviour should be layered over the top: http://domscripting.com/blog/display/41 :) Paul *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
It should be made clear that there really is no such thing as Client Side Validation. What we are talking about here is client side form assistance. The goal of validation is to make 100% sure that the data you are recieving is of the correct type, and contains no extraneous data or security exploits BEFORE depositing it into a database or running other type sensitive functions across it. This is why you must perform validation on the server side, because that's the part you can control, so you can make sure from there that the data is correct. There is absolutely no certainty about whether the data you are receiving from the client is valid, regardless of what javascript you have running. The data could be coming from anywhere! not just desktop browsers with javascript. Thus, there can be no such thing as client side validation. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
Matt Fellows wrote: What John is saying is that AJAX is JavaScript yes, but it can also make calls to the server (using the XMLHttpRequest object) thus it validates using server-side technologies such as PHP. What you describe is what AJAX actually is; however, the term is often misused to include any action or change to the page which doesn't include a page refresh. Whether it's drag-and-drop, or popping up an error message (especially without a JavaScript alert box), that's AJAX, or at least according to most clients. It was my impression that Tee was making that error. So, whether the validation done before leaving the page was done client-side or server-side via (true) AJAX is irrelevant. What is most important is that the data is validated AFTER YOU LEAVE THE PAGE, even if it was already validated before. But what is misleading is that validation using AJAX can be disabled quite easily simply by disabling JavaScript rendering a nice big security hole. Even with JavaScript working perfectly, it's child's play to send whatever garbage (or worse) you want to the server. For example, there's a Firefox add-on, Tamper Data, which allows you to intercept and modify all calls to the server. So the issue of whether or not JavaScript is enabled is irrelevant to that nice big security hole. That is where the true server-side validation must double-check. And that's my bottom line. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
Hi Tee, It sure is, I have actually implemented it locally but a bit of testing is needed. It was more a test-of-prinicple kind of thing that actually turned out useful. So we don't move off topic however, I will reply to your email privately about the library instead of the WSG list. Cheers, Matt On 2/13/08, tee [EMAIL PROTECTED] wrote: Hi Matt, thank you very much! Your JS library looks very interesting and I certainly will play with it. I see that the radio group has not been implemented, is this something coming out soon? The web form has radio buttons with multi-selection options. Cheers, tee On Feb 12, 2008, at 2:12 AM, Matt Fellows wrote: Hi Tee, What John is saying is that AJAX is JavaScript yes, but it can also make calls to the server (using the XMLHttpRequest object) thus it validates using server-side technologies such as PHP. But what is misleading is that validation using AJAX can be disabled quite easily simply by disabling JavaScript rendering a nice big security hole. That is where the true server-side validation must double-check. If you are interested, I wrote a small JS library that may be of use to you. It is a plug'n'play like JS file to automagically validate basic forms which is totally unobtrusive and promotes separation of concerns. To add extra fancy AJAX stuff is a matter of overriding a class and implementing your specific needs. I've still got a bit of work to do on it, but you can certainly get an idea. The url is: http://www.onegeek.com.au/articles/programming/javascript-form-validation.php I'd be happy to help you if you need, just shoot us through an email. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
The sever side validations must be done even if the validations are done at client side too. this is because it is highly likely to crash if the user has turned off Javascript Sajan On Feb 12, 2008 4:43 PM, tee [EMAIL PROTECTED] wrote: Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti- spam; I suppose I can turn off the server-side validation if client- side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. Thank you for you thought! tee *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
Hi Tee, I suppose I can turn off the server-side validation if client-side validation is used, but I am concerned with the accessibility issue You can have it both ways. The JavaScript can work before anything is even submitted to the server (very AJAXy) so the server-side validation isn't even used -- unless the JS isn't supported. Perfectly accessible provided the error management is accessible for users who have JavaScript but can't use all features (provide for non-sighted and keyboard), or those who have JS enabled on their browser, but have scripts blocked at another point such as a firewall or router. Make sure JS isn't required to use the form. Respectfully, Mike Cherim *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
You should always do server side validation. Implementing client side validation does not affect this at all. On Feb 12, 2008 4:08 PM, Sajan Franco [EMAIL PROTECTED] wrote: The sever side validations must be done even if the validations are done at client side too. this is because it is highly likely to crash if the user has turned off Javascript Sajan On Feb 12, 2008 4:43 PM, tee [EMAIL PROTECTED] wrote: Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti- spam; I suppose I can turn off the server-side validation if client- side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. Thank you for you thought! tee *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** -- - http://myfitness.ning.com A community of people that care about their health and fitness Free fitness videos, recipes, blogs, photos etc. -- *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
RE: [WSG] an accessible question: server-side vs client-side validation
In my experience client-side validation works fine with screen readers but you need to be careful how you present any error messages. It is increasingly common to see them slid in silently, and this is a big problem not only for screen reader users but also for magnifier users because they are both unaware of the change. I am a big fan of alertboxes for error messages. Sure they're clunky but they give an audible warning and they seize the focus so the user doesn't have to go hunting for the error message (assuming they even know that there is one). If you are forced to slide the error messages in silently, I recommend doing so at the top of the page and just above the Submit button. People have different strategies for figuring out what's going on if a new page does not load, but the most common are to return to the top of the page or to navigate backwards up the form. Error messages next to the relevant fields make it even easier for the user. You must retain the server-side validation because some people may not have JavaScript enabled so they will bypass the client-side validation. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tee Sent: 12 February 2008 05:43 To: wsg@webstandardsgroup.org Subject: [WSG] an accessible question: server-side vs client-side validation Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti- spam; I suppose I can turn off the server-side validation if client- side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. Thank you for you thought! tee *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] *** *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
RE: [WSG] an accessible question: server-side vs client-side validation
A website I was working on, client wants client-side validation, something fancy, something Ajax. The whole point of AJAX is that it's *not* client-side. It's both. So your client is a little confused if they said that. == The information contained in this email and any attachment is confidential and may contain legally privileged or copyright material. It is intended only for the use of the addressee(s). If you are not the intended recipient of this email, you are not permitted to disseminate, distribute or copy this email or any attachments. If you have received this message in error, please notify the sender immediately and delete this email from your system. The ABC does not represent or warrant that this transmission is secure or virus free. Before opening any attachment you should check for viruses. The ABC's liability is limited to resupplying any email and attachments == *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
Thank you all for the great response. I thought client-side validation will conflict (and confuse user) with server-side - I thought that when a user get passed the client-side validation and click submit, another error message may pops up to warn him the telephone number format he entered is incorrect. Obviously this will only be an issue if I didn't get the client-side validation setup probably. On Feb 11, 2008, at 10:23 PM, John Horner wrote: The whole point of AJAX is that it's *not* client-side. It's both. So your client is a little confused if they said that. I am really confused with your comment. Isn't AJAX the JS of the sort? If JS gets turned of, none of the AJAX function will be working. tee *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
Re: [WSG] an accessible question: server-side vs client-side validation
tee wrote: Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti-spam; I suppose I can turn off the server-side validation if client-side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. As important as accessibility is, there is an issues many times more important which is relevant to your question: security. Unless you implement sever-side validation (either in addition to client-side, or instead of), neither yours, nor your visitors data is safe. For example, via SQL injection your database can become an open book to a cracker. *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***
[WSG] an accessible question: server-side vs client-side validation
Hi, I have a question about server-side vs client-side validation. I always use a same PHP form script that works really great and it's server-side validation using condition and requirement, and I like the feature better than client-side's. A website I was working on, client wants client-side validation, something fancy, something Ajax. I like to stick with this form script because it has a great support for anti- spam; I suppose I can turn off the server-side validation if client- side validation is used, but I am concerned with the accessibility issue - I am particular curious how screen readers treat client-side validation. Thank you for you thought! tee *** List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm Help: [EMAIL PROTECTED] ***