On Saturday 10 June 2006 21:08, jekillen wrote: > You misunderstand my question. I know the limitations of javascript. > The server won't respond to events registered in the browser. I write > tons of forms that are all processed > by the client with javascript. I have written ferocious regex filters > that hack apart form submissions before they even leave the client. I > have set it up so if the client doesn't > have javascript enabled, the form won't submit if it is going to the > server. That is why as much as possible I shift form processing to the > client as much as possible, for > security and to off load work to the client. I use php to dynamically > write js files when necessary, anticipating what data will be > requested. "...shift form processing to the client as much as possible, for security..." Client-side security isn't. Your server has no way of telling if the data it's receiving is from a properly setup client that did the correct JS filtering, or if it's from someone writing as simple bot/script/program that's just sending GET and POST requests to you. Your PHP should never trust the client to be benign. -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
