[Javascript] action="insert"

[Matt Warden]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shawn Milo wrote:
> For my ASP pages, I find that using JavaScript as much as possible to
> validate the form before it is submitted saves me a *lot* of work. If
> something is entered incorrectly and the problem is found after the page is
> submitted, I then have to put all of the values from that page into
> variables and insert server-side code into each HTML object to conditionally
> set that content as the default value for the object.
> 
> With JavaScript for validation, you simply refuse to allow the page to
> submit when something is wrong. The user loses nothing if there is a problem
> repopulating a field, and there is no delay as the page reloads or
> refreshes. Plus, you don't need to have extra server-side code which
> re-creates the entire input page *or* moves on to the next step, depending
> upon the validity of the data.

No, actually you are completely wrong.

Send me the URL to your application, and I will break it in about 1 minute.

All I would need to do is turn off JavaScript. This development
methodology makes the assumption that any submitted form has already
been validated. This is a poor assumption. There are (a) malicious users
that would realize this and turn off JavaScript, and (b) white hat users
who don't have JavaScript turned on in the first place (probably more
than you think).

JavaScript validation is a *user aid* to help the user correct problems
without a round trip to the server. Its purpose is for the user, not
your application. You protect your application by validating *all*
values on the server side.

- --
Matt Warden
Miami University
Oxford, OH, USA
http://mattwarden.com


This email proudly and graciously contributes to entropy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD7MCKrI3LObhzHRMRArgvAKCad6vnwjPm2WnpiCJnggNtAEK3vACdGfon
cROmsucZDGhWty1lU1R601c=
=CmYG
-----END PGP SIGNATURE-----