-1

I want to preface this question by saying I know that client side validation is always necessary, but I want to know this anyway.

Assume the following:

I have a form

<form id="update_form" action="/App/appManage/" method="post">
     <input name="data[test]" value="1" type="text" id="AppModified"/> 
</form>

And a submit button OUTSIDE of the form.

<a id="update_button" class="btn btn-primary btn-medium">Update</a>

This button submits via the following Jquery:

<script>
  $(document).ready(function() {
    $("#update_button").click(function() {
       $("#update_form").submit();
    });
  });


//Form Validation
$("#update_form").validate({
    rules: {
        "data[test]": "required"
    },
    messages: {
        "data[test]": "Please enter a value for this field"
    }
});

</script>

There is no ajax involved.

If a user disables javascript and clicks the update button no action takes place. (tested)

If the user hits enter in any of the fields on the form, it does not submit the form (tested)

If the user has javascript enabled and clicks update and the input field is left blank they are not able to submit the form and a message flashes under the field asking you to please fill it out (tested)

On submit the form saves the value entered in the input field to my database.

My question is:

How can someone get a blank value for that field in my database?

P.S. I know there is probably a way, but I want to know what it is! I don't know what to know how to improve my code, or be told that I should be using server side validation to ensure that it's not blank before inserting the record into my database, simply what a malicious user would do verbatim to circumvent my code here.

Just so everyone knows, through a friend I discovered another way to circumvent this type of validation. You can just create the submit element yourself in firebug and submit the form with the field blank like that.

4

1 回答 1

1

任何人都可以使用无效数据向您的站点发送 HTTP POST。他们根本不需要使用您的网页。有数以千计的工具可以实现这一目标。例如,使用 Web 浏览器的内置 JavaScript 调试器,您可以轻松发送

$("#submit").trigger('click')

没有先通过验证。正如 Oswald 所指出的,服务器端验证才是王道。客户端验证不是为了安全,而是为了用户体验。

于 2013-06-27T19:44:59.710 回答