In my signup page, I do validation using both JavaScript and PHP.
However, people can see my JavaScript validation functions by viewing the source of the web page. It contains input fields names, ids etc.
So, is it safe that anybody can see them ?
In my signup page, I do validation using both JavaScript and PHP.
However, people can see my JavaScript validation functions by viewing the source of the web page. It contains input fields names, ids etc.
So, is it safe that anybody can see them ?
Share Improve this question asked Apr 21, 2015 at 8:19 Tharindu ThisarasingheTharindu Thisarasinghe 3,9989 gold badges45 silver badges75 bronze badges 3- Not being a security expert here, but I don't think there's a lot you can actually do about it, while this might validate them client side, I would remend that you also do validating server side. – Epodax Commented Apr 21, 2015 at 8:23
- As long as you don't provide any "confidential" information, like passwords and so on to the client, that's good enough. If the validation part related to the pure sign in (username, password, email and so on) is done on the SERVER SIDE and is properly escaped and stored, then it's totally ok. – briosheje Commented Apr 21, 2015 at 8:26
- You can never trust client side validation, it's really only there to provide a better user experience. It's not "dangerous" that people can see the validation logic unless you're not also validating server-side, which it sounds like you are. – ivarni Commented Apr 21, 2015 at 8:27
4 Answers
Reset to default 7The validation functions you've quoted don't reveal any information that it seems like you need to keep secret (quite the opposite, actually, telling people what is and isn't required is useful and could make its way to the UI). So they're "safe" in that they don't reveal anything confidential.
If you have validation functions that use information or techniques that you want to keep secret, you'll need to move them to the server, as they wouldn't be "safe" as they'd be revealing confidential information.
You can make it harder for people to understand your client-side validation functions by using an aggressive minifier/obfuscator, such as Google Closure Compiler in advanced mode. But you can't make it impossible: If the browser can read the code, people using the browser can read the code.
And just because we're talking about client-side validation, the usual warning: Even though you're validating client-side, you still have to validate server-side. Users can bypass your client-side code and send in invalid information.
It is safe since your code is reflecting the actions on your page. When you define a max length on your code, you show that to your users by providing some UI and messages. Nothing secretive here, so that's ok.
Also, when you move to production from development, you should consider minifying and obfuscating your javascript code to hide your sensitive code from praying eyes. That way you save on bandwith, and add an extra layer of security for your application.
The JavaScript validation part is not really that much of a security concern because users cant modify or misuse anything if they get pass it but it's the PHP validation that you should be careful with as if promised, can allow a user to access your database (if your form is linked with your db of course).
Javascript validation works on client side .if some one has disabled his browsers Javascript .it wont works . and moreover there are no much security concerns in showing javascript validation.Always do Server side validation to avoid any type of misconsequences or security measures. in simple
Java script << Client Side Validation
PHP << Server Side Validation.