JRS: In article <1095232552.cZc+BJ+L2P98owmOEXcEjA@teranews>, dated
Wed, 15 Sep 2004 01:15:59, seen in news:comp.lang.javascript, =?UTF-
8?b?TMSByrtpZSBUZWNoaWU=?= <laie@win_remove_get_nospam_solutions.com>
posted :
You should _NEVER_ rely solely on client-side verification. Every web
page should work whether the user has JavaScript enabled or not.
Scripting should only be used to enhance the browsing experience.
Nonsense. Some pages are only possible with scripting running; and some
are designed to be used client-side without post-delivery support from a
server. Never use "never" unless you really mean it.
Consider, for example, <URL:http://www.merlyn.demon.co.uk/js-clndr.htm>,
which has no significant content (bar the links to other pages) without
script running.
Your server (CGI, PHP, ASP, etc) should also verify its input, just in
case JavaScript was disabled or if someone spoofed your form.
If there is a server, and if the correct operation is of real interest
to server-side people, then there should be server-side verification.
But if spoofing has no effect other than on the spoofer, server-side
verification is not needed. Consider the situation where the
calculating engine for js-clndr.htm was server-side : a user enters
spoofed data and gets spoofed results - as is appropriate. (It may be
necessary to trap data that would harm the server, for example by
hogging resources.)
While Web pages and javascript are often used in support of business
transactions, it is a mistake to assume that they always are.
--
John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4
<URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.