问题
Supose I have some form with javascript client side validation and no server side validation.
If user disable javascript in his browser there will no be submit button so he can not send me any data without js enabled.
But I do not know is there any way to change my validation instructions from client browser so he could send me untrusted data and make some damage to my database.
Thanks in advance and sorry for my (possibly) obvious question!!!
回答1:
No. it is not safe. Use server side validation.
For example, even without the browser, I can read your source code. Then simply use CURL to send a post request with malicious data.
Never, ever trust the client.
回答2:
No, it's not safe. For example, I could just open up the JavaScript debugger in my browser and override your validation.
回答3:
Anyone who is capable of disabling javascript on their own is probably also capable of making arbitrary POST requests on their own as well. Ok I might be exaggerating but it's still not safe as someone can do the POST requests without using browser, let alone your form, at all.
回答4:
I would suggest use both client side and server side validation.
Benifit of client side validation is it's fast, we never hit server until user enter correct input. This saves time and avoid user flustration. This is really helpful in large forms. However demerit is a bad guy can override the client side validation, Hence to avoid such case we should validate in serverside also before processing data.
来源:https://stackoverflow.com/questions/8113422/javascript-form-validation-on-client-side-without-server-side-is-it-safe