[Javascript] action="insert"
Shawn Milo
Shawn at Milochik.com
Fri Feb 10 10:43:26 CST 2006
On 2/10/06, Matt Warden <mwarden at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shawn Milo wrote:
> > For my ASP pages, I find that using JavaScript as much as possible to
> > validate the form before it is submitted saves me a *lot* of work. If
> > something is entered incorrectly and the problem is found after the page
> is
> > submitted, I then have to put all of the values from that page into
> > variables and insert server-side code into each HTML object to
> conditionally
> > set that content as the default value for the object.
> >
> > With JavaScript for validation, you simply refuse to allow the page to
> > submit when something is wrong. The user loses nothing if there is a
> problem
> > repopulating a field, and there is no delay as the page reloads or
> > refreshes. Plus, you don't need to have extra server-side code which
> > re-creates the entire input page *or* moves on to the next step,
> depending
> > upon the validity of the data.
>
> No, actually you are completely wrong.
>
> Send me the URL to your application, and I will break it in about 1
> minute.
>
> All I would need to do is turn off JavaScript. This development
> methodology makes the assumption that any submitted form has already
> been validated. This is a poor assumption. There are (a) malicious users
> that would realize this and turn off JavaScript, and (b) white hat users
> who don't have JavaScript turned on in the first place (probably more
> than you think).
>
> JavaScript validation is a *user aid* to help the user correct problems
> without a round trip to the server. Its purpose is for the user, not
> your application. You protect your application by validating *all*
> values on the server side.
>
> - --
> Matt Warden
> Miami University
> Oxford, OH, USA
> http://mattwarden.com
>
>
> This email proudly and graciously contributes to entropy.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFD7MCKrI3LObhzHRMRArgvAKCad6vnwjPm2WnpiCJnggNtAEK3vACdGfon
> cROmsucZDGhWty1lU1R601c=
> =CmYG
> -----END PGP SIGNATURE-----
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
Extremely valid points. However, my applications are not accessible from the
Internet, and the users are very small in number and need the application to
do their jobs day-to-day. Also, the most likely outcome of invalid data is
an error message when they submit the page because a database INSERT or
UPDATE command fails due to invalid data.
Obviously, the right thing for me to do is use the methods you espouse, not
only from a security standpoint but also from a simple compatibility
standpoint; the closer the web app looks to boring HTML, the better it is
for most browsers.
I guess I'm spoiled in my sandbox.
Shawn
https://lists.LaTech.edu/mailman/listinfo/javascript
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolt.org/pipermail/javascript/attachments/20060210/2b0e41b6/attachment.htm>
More information about the Javascript
mailing list