hmmm, I generally agree that user submitted data has to be
RE-validated on the server side, but that doesn't mean client
side validation isn't useful. Without getting further into a design
philosophy debate, I'd suggest one possible answer to the question
at hand is to make the form submit button be a standard button
rather than a real "Submit" type and use its onClick event handler
to submit the form, either directly in-line, as in:
onClick="this.form.submit()"
or, perhaps more appropriate to this question, at the end of the
validation Fx you want to perform: onClick="runSubmit(form)"
function runSubmit(form) {
if (!ckName(form)) return
if (!ckDate(form)) return
...
document.form.submit()
}
function ckName(form) {
if ( the test conditions I am checking are okay) {return true}
else {return false}
}
function ckDate(form) {
if ( the test conditions I am checking are okay) {return true}
else {return false}
}
...
The form won't submit unless JavaScript is on and the validation
conditions are met. To prevent user perversion, such as saving
the form locally and editing out the validation - by changing it to
a regular "Submit" type input or something - check the environment
HTTP_REFERER to make sure it is coming from your domain
( m/^http\:\/\/www\.mydomain/) and bounce them if it isn't. Of
course, there is no guarantee that JS will still be on two seconds
after they submit the tested request, but hey, if they are trying to
screw it up, so what? It will work okay for any user who isn't
intentionally trying to monkey wrench it...T
----- Original Message -----
From: "Christopher K. St. John" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 19, 2001 11:00 AM
Subject: Re: JavaScript Enabled?
> Deb Shuvabrata wrote:
> >
> > Consider a date validation on an HTML page.
> >
>
> You can't depend on client-side validation. Since the users
> have control of the client, the users can do any perverse
> thing they want, and there's no way to always catch them.
> So assume all the data coming from the client is trashed and
> revalidate it on the server-side.
>
> > Is there any way I can find out from my ... if the request
> > came from a JavaScript enabled browser or not.
> >
>
> No. A malicious user can always fake it, see part 1. ('But
> we don't have any malicious users' is not a good excuse,
> since stupidity is often indistinguishable from malice :-)
> Make sure to always validate on the server side, and you
> don't have to worry about javascript being turned off...
>
>
> --
> Christopher St. John [EMAIL PROTECTED]
> DistribuTopia http://www.distributopia.com
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
