Once you have a registered member I think js validation is ok. But from a front end point any user can manipulate the from, security component does noting for js / ajax. So be aware of that.
I had an ajax validation method but all it did was expose user names and passwords by manipulation the fields in the form.
So I wrote an ajax security component / metod and lock all my forms using an ajax request. Domain / request, fields. Lock and key method.
Dave Maharaj
Freelance Designer | Developer
www.movepixels.com | dave@movepixels.com | 709.800.0852
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Eric Haskins
Sent: Saturday, August 17, 2013 12:21 AM
To: cake-php@googlegroups.com
Subject: Re: Data validation: Client or Server?
Dave,
I agree you can over expose but its still valid data by the time it gets to the database. We are constantly trying to build a better mousetrap to stop people from using servers to submit signups for sites like Voodoo.com. So I built a two stage form that asks your name ,company, and country. Which makes a request for cached i18n data of required fields like some countries require County or Region etc.
So basically they made a decision no javascript = no sign up. Bogus signups dropped way off and server load decreased (was never a problem but was a noticeable decrease). I still see some good bots getting thru but we also store Render time and Submit time which cleaned out a bunch more.
Its fun :-)
Eric Haskins
High Octane Brands
On Friday, August 16, 2013 9:59:30 PM UTC-4, advantage+ wrote:
Good stuff, but just think about how it can be manipulated.
Filed, for example you mighr be validating Susans hair colur down the road.
Few tweeks with Firebug and I change to input to [user]…… presto now I can see if you have a valid user, password.
Sure I have to try over and over but it exposed you validation set on the model.
Stay away from live validation as such it sucks!
Dave
From: cake...@googlegroups.com [mailto:cake...@googlegroups.com] On Behalf Of Eric Haskins
Sent: Friday, August 16, 2013 9:29 PM
To: cake...@googlegroups.com
Subject: Re: Data validation: Client or Server?
We always use both if not both server-side
Eric Haskins
High Octane Brands
http://highoctanebrands.com
On Friday, August 16, 2013 7:32:29 AM UTC-4, jer...@anthemwebsolutions.com wrote:
I wanted to get some opinions on this. Cake's validation structure is easy to apply and works flawlessly (so far, wink,wink). But I've also written some data validation with jQuery which is activated at the client side.
Is there still a need to validate at the server if most browsers support javascript? Do some of you leave off the server side validation in lieu of client side? How's that HTML5 data validation working for you?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com.
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment