I am building a website and I have a questions with forms on login/registration page. I have a few standard javascript validations on the login page. My questions is should I just disable the login button if javascript is disabled or should I keep PHP validations on the server side code?
Which is a better approach in terms of security? I am planning to keep login/registration button disabled and only enable it by javascript. That way I can avoid writing PHP side validation of the same JavaScript that is already there. Is it a secure way of doing it?
Thanks
Overall, use PHP. Javascript can be easily fooled and/or turned off entirely. At that point your server gets supplied with whatever Mr Malicious End User wants you to have, and you won't be stopping them.
Use PHP for validation, and if you want it to look fancy, put javascript on top. But ALWAYS server-side validate.
As a general rule of thumb, anything relating to security or prevention of particular user behaviors, don't rely on javascript or CSS to stop something from happening on a page. Since scripts and css can be overridden or disabled in the browser, you'll have no protection against that behavior if they do so.
Server side is the correct place for implementing preventative security precautions.
Also, note that doing both is very nice for user experience, but server side is the only definitive place for preventing unwanted data making it through.
Every client-side validation MUST be replicated server-side to ensure security. Your client side scripts can be easily replaced by a malicious user in order to bypass your validation completely and buttons can be re-enabled fairly easily with web debugging tools.
However, it is sometimes wanted for user convenience to also include client-side validation. In which case, you have to validate both server-side (PHP) and client-side (Javascript).
PHP side validation is better .
Client side validation is NOT secure because it can easily be hacked. It is for user convenience only. For example, in response to client-side validation, the user can fix mistakes before the form is submitted. That saves the user time, and they appreciate your site.
Security validation must take place on the server
You must validate your data on the server and parse the answers of it with Javascript. Only use Javascript to add/remove HTML content and create better user interfaces.
Always take this into account: What happens if the user disables Javascript in his/her browser?
