I have a registration form on my website and I have 3 input boxes for the Date of Birth where are coded like this...

<input name="dd" id="dd" type="text" value="DD" size="2" />
<input name="mm" id="mm" type="text" value="MM" size="2" />
<input name="yyyy" id="yyyy" type="text" value="YYYY" size="4" />

I then have a JavaScript validation page which is run on Submit. This page checks that the fields are not empty and that they are between a certain number e.g. between 1 and 31 for Day
Here is the JavaScript for the 'dd' field...

var nulld=document.forms["create"]["dd"].value;
if (nulld==null || nulld=="")
  {
  alert("Please enter a day between 1 and 31");
  return false;
  }
var dd=document.forms["create"]["dd"].value;
if (dd >= 1 && dd <= 31)
  {}else{
  alert("Please enter a day between 1 and 31");
  return false;
  }

So I have this code, but iv noticed that someone is disabling JavaScript on this puter and is creating loads of accounts with incorrect data. How do I stop this from happening? or is the only way to do it to add code that checks if JavaScript is disabled and divert them to an error page like this...

<noscript><meta http-equiv="refresh" content="1;url=nojavascript.html"></noscript>

Is there another way to do it where users can still create an account without JavaScript but still have the Validation?

I have a registration form on my website and I have 3 input boxes for the Date of Birth where are coded like this...

<input name="dd" id="dd" type="text" value="DD" size="2" />
<input name="mm" id="mm" type="text" value="MM" size="2" />
<input name="yyyy" id="yyyy" type="text" value="YYYY" size="4" />

I then have a JavaScript validation page which is run on Submit. This page checks that the fields are not empty and that they are between a certain number e.g. between 1 and 31 for Day
Here is the JavaScript for the 'dd' field...

var nulld=document.forms["create"]["dd"].value;
if (nulld==null || nulld=="")
  {
  alert("Please enter a day between 1 and 31");
  return false;
  }
var dd=document.forms["create"]["dd"].value;
if (dd >= 1 && dd <= 31)
  {}else{
  alert("Please enter a day between 1 and 31");
  return false;
  }

So I have this code, but iv noticed that someone is disabling JavaScript on this puter and is creating loads of accounts with incorrect data. How do I stop this from happening? or is the only way to do it to add code that checks if JavaScript is disabled and divert them to an error page like this...

<noscript><meta http-equiv="refresh" content="1;url=nojavascript.html"></noscript>

Is there another way to do it where users can still create an account without JavaScript but still have the Validation?

• javascript
• validation

Share Improve this question Follow asked Aug 8, 2012 at 8:20 BenBen 35533 silver badges1212 bronze badges 3

• 5 Always validate on the server. There will always be ways around client-side-only validation. – James Allardice Commented Aug 8, 2012 at 8:22
• 1 This is why one must never rely on client side validation only. – Pekka Commented Aug 8, 2012 at 8:22
• 1 And please make sure you accept answers for every question you ask .... – Manse Commented Aug 8, 2012 at 8:24

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 9

JavaScript validation is good for one thing only: quickly letting users know that the data they are going to submit to the server will be rejected.

You cannot control what es into your system. You must check that data is suitable on the server before you start processing it.

Don't worry about making your javascript any "stronger" than it already is, they can send that form without even using a browser let alone javascript. You must validate data in the server-side and reject it if it's wrong.

The javascript validation is just a convenience for those who have javascript enabled so they get fast feedback without having to make a request to the server.

When you implement server-side validation, consider making it as strong as possible. For example, your javascript validation passes invalid dates through.

You must have duplicate validation on the server.

The server side validation must be rock solid - and prevent any unauthorized activity, because you can assume the user could be malicious, and has plete control of the client side.

The client side validation is only there for the convenience of the user, and lends nothing to security of the system. It is there to stop the browser form wasting time fetching validation from the server.