php - How much safe a site if its not served to those who disabled Javascript? - Stack Overflow

admin管理员组

文章数量:1410712

I am using JQuery and Javascript extensively in my new project including form validation because I don't want to burden server using PHP validation. So I am restricting my site from the people who disabled Javascript on their browsers. I am trying to redirect them using meta tag:

<meta http-equiv="refresh" content="2; URL=../../enablejs.html">

I assume that this is safe because if javascript is not enabled they will not be able to access my site.

But still I have a doubt over this and need your advice. Is it pletely safe? If not what are the area I need to concetrate?

I am using JQuery and Javascript extensively in my new project including form validation because I don't want to burden server using PHP validation. So I am restricting my site from the people who disabled Javascript on their browsers. I am trying to redirect them using meta tag:

<meta http-equiv="refresh" content="2; URL=../../enablejs.html">

I assume that this is safe because if javascript is not enabled they will not be able to access my site.

But still I have a doubt over this and need your advice. Is it pletely safe? If not what are the area I need to concetrate?

• php
• javascript
• html
• jquery-ui

Share Improve this question Follow edited Apr 16, 2013 at 11:37 Franz Kafka 10.9k2020 gold badges9797 silver badges150150 bronze badges asked Oct 18, 2012 at 9:08 Sk MiRajSk MiRaj 5911 gold badge22 silver badges77 bronze badges 9

• 3 You still need PHP validation regardless – Lawrence Cherone Commented Oct 18, 2012 at 9:10
• 1 You need to concentrate on the area of server-side validaiton! Javascript validation is only good for userbility, and can easily be "hacked" to sent your server bad data – musefan Commented Oct 18, 2012 at 9:10
• 1 Your site is equally vulnerable if javascript is enabled or disabled in user's browser. Safety has nothing to do with javascript disabled in user's browser. Not all of your users will have javacript disabled at a same time. – WatsMyName Commented Oct 18, 2012 at 9:11
• 1 Server-side validation is mandatory. You might not know how to skip JavaScript validation but some visitor will eventually know. – Álvaro González Commented Oct 18, 2012 at 9:11
• 2 If you are not going to validate data sent on the server, no matter how secure your interface is, people can bypass it by forging their own HTTP Request. Even if JavaScript is enabled, people can still view your source code then write a bookbarklet and execute it to disable your JavaScript validation. – Ultimater Commented Oct 18, 2012 at 9:26

 |  Show 4 more ments

6 Answers 6

Sorted by: Reset to default 9

This is a terrible, terrible idea.

because I don't want to burden server using PHP validation

You mean, you don't want to burden yourself with implementing it :)

I can relate. Everyone hates doing stuff twice. But server side validation is not a negotiable extra; client side validation can be easily circumvented and is for user convenience only. Server side validation is always needed for safety and security.

Apart from it being a bad idea, there is no way of reliably excluding users who have JavaScript turned off. JavaScript runs on client side, and its presence or non-presence can be easily faked to the server.

Client-side anything is never ever safe. You always need server-side validation. It's not a "burden", it's a necessity. I don't even need your website to submit (unvalidated) data to your server, in the end it all just boils down to HTTP requests. If you do not validate everything the user does on the server, you have no security.

I am using Jquery and Javascript extensively in my new project including form validation because I don't want to burden server using PHP validation.

That shouldn't save a significant burden. It should give faster feedback to users though, which is good.

So I am restricting my site from the people who disabled Javascript on their browsers.

That is a waste of time. The proportion of submissions in that which will be from users with JS disabled will be tiny.

I am trying to redirect them using meta tag

That's a very user hostile thing to do.

I assume that this is safe because if javascript is not enabled they will not be able to access my site.

If you mean that it avoids the need to write server side validation routines, then you are wrong. If someone wants to attack the site (rather then submit bad data by accident) then they can construct HTTP requests manually.

No that's not safe. Client side validations are nowhere safe. With javascript enabled anyone can bypass your validations. Using chrome console I can probably alter any text on your input boxes or any other input method without you validation noticing it.

Use server side validation or you're screwed.

No, this is not safe. Never rely on the browser for form validation. Form validation in the browser should only be to improve user experience, not to protect your data. You need to add some PHP validation.

Also, are people who have JavaScript disabled not supposed to use your site? You should make JavaScript degrade gracefully so that your site is still usable without it.

Using client side validation is a recipe for disaster "never ever trust clients input" clients inputs are GET (URL included), POST, FLash ...

All inputs should be validated by server side scripting language like PHP, ASP, java ... If you use PHP then check http://www.phpclasses/ and look for form validation scripts and Cross-site scripting (XSS). Or use validation classes offered in frameworks like zend, codeigniter

http://en.wikipedia/wiki/Cross-site_scripting

本文标签： phpHow much safe a site if its not served to those who disabled JavascriptStack Overflow