I do not do any javascript validation, and try to avoid it if at all possible as you cannot guarantee that the client has JavaScript enabled, much like relying on cookies. If you are concerned about 'crafty hackers' you'll probably need to check every form element. You probably also want to check somehow that page2.php is actually being called from page1.php and not by any other means. Others on the list are much better equipped to deal with these matters than I, as I don't currently lock down my application to this degree. If you have not already, get along to Chris Shiflett's site, it's got some great info. http://shiflett.org especially: http://shiflett.org/articles HTH Graham > -----Original Message----- > From: Stuart Felenstein [mailto:stuart4m@xxxxxxxxx] > Sent: 19 October 2004 10:26 > To: Graham Cossey; php-general@xxxxxxxxxxxxx > Subject: RE: Help: Suggestions for multi page form validation > > > If it's okay I'll throw out two more questions then. > > 1-Probably a silly question, but is a "faux pas" if I > don't do client side [javascript] validations ? > > 2a- Textboxes - provided I'm not allowing special > characters (only alphanumeric) does this alone protect > me from things like "sql injections" ? > > 2b- Do selects (menus, dropdowns) need to be validated > for string content. aka, can crafty hackers turn > these into a way to enter some funky data ? > > Thank you , > Stuart > > > --- Graham Cossey <graham@xxxxxxxxxxxxxxx> wrote: > > > Personally I would do as you suggest in 1. I would > > think your users would > > get rather annoyed if they had gone through several > > form pages to be told at > > the end of an error in form page1. > > > > So, page2 validates page1 etc. I would assume that > > page2 already does some > > processing of page1 anyway, as I believe you are > > adding the for......... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
