I have looked through many threads and/or questions on the internet looking for a clear answer but so far havn’t gotten any.
A part of the question was already answered (unless you tell me it is wrong). Data validation should be done client side AND server side. Client side to notify the user of data who is invalid and to offload the server and as well on the server to prevent any kind of attacks.
Validating on both sides can be a tedious task though and I wondered if there was some way to do it so that you don’t have so much duplicated code.
There is also something else I was wondering…I have a table with rows who contain the id (of the database) of that row. At the end of each row I have a delete button to delete it from the html, my JSON object who contains an array of my values and who is sent to an ajax call to be deleted from the database (a link between 2 tables).
This isn’t safe (well in an unsafe environment like the internet) and I know it. I can always check client side to see if the id is only numbers and if so then check server side if it exists. But who tells me the user did not go in the debugger and inverted 2 lines and end up deleting rows who should not be? What would be the best way to have my ids and be safe from people inverting them?
Any suggestions appreciated
It is not really needed to do it client side IMHO. But it is nice to be able to notify the user before submitting the data. So I would call it a pre.
Because PHP is serverside and javscript is clientside it isn’t really easy to prevent duplication of code. There is one way that I know of however using xhr requests. This way you can use the php validation in javascript (clientside).
Please tell me you are using CSRF protection. 🙂
To prevent malicious sql injected you should use prepared statements and parameterized queries.