Relying on HTML 'required' for simple form validation

Question

My question is simple, I\'m writing a simple login/registration form for my website using HTML, PHP and jQuery.

Is it neccesary to write the form validation in PHP also

Answer 1

You should never rely on the frontend validation. Nor Javascript or HTML. Users can open your reg form, use firebug or some other tool, inspect the text box and DELETE the required attribute. Also can send to your backend POSTed variable, even without opening your frontend

Answer 2

Validation on the server is a must

You can pretty things up however by validating on both the client and server so the user gets instant feedback, but yes it is neccesary to do validation in PHP.

Answer 3

Is it neccesary to write the form validation in PHP also

You can never depend on any form of client side validation. It can always be bypassed.

People might be using browsers that don't support HTML 5 validation attributes, or might use a DOM inspector to remove them.

JavaScript solutions can be trivialy bypassed by turning off JavaScript.

Forms can be copy/pasted, edited and then submitted from a page owned by the user.

HTTP requests can be constructed by hand without going near a form.

etc. etc.

Client side validation can only ever be provided for the convenience of the user. The protection of your systems can only be handled server side.

Answer 4

It might help to think of client side validation being a usability issue and the server side validation being a security issue.

Where usability might be described as being a "nice to have", security is definitely a "must have".