>Ok.... > >So I've been getting into jQuery a lot lately. And being able to >do some of the user enhancements has been great. > >I've also begun, as one of those user enhancements, to use >client-side validation. Not for login's, but for mortgage calculators, >property search request forms, etc. Not critical, but important. > >But now that I've started down the client-side validation road, I hear >from passersby, "No! You should always validate server-side or both!" > >(I did experiment with jQuery to use Ajax to validate server-side with CF, >but couldn't quite pull it off, so for a mortgage calculator, I went totally >client-side just to get the project moving again...) > >But, apart from the "some users don't have Javascript turned on" argument, >why can't JS code be written that can validate as well as CF? ( I know I >can't >write the JS code right now, but that's beside the point...) > >Thoughts? > >Rick
Disclosure: I have not read all the replies and I have only been programming for about 1.5 years. I have been developing a web site for about a year and it has not been launched yet, but I can tell you what security measures I have taken with regards to JS. As far as I know, the best way to approach security is with layers, here is what I have implemented. 1. I test all pages that use JS to make sure scripting is turned on, if not, the user is sent to an error page explaining what happened and how to fix it (turn it on). 2. I validate all text fields (with JS) to make sure the code meets my parameters. 3. I use <cfset THIS.scriptProtect="ALL"> to remove malicious code from forms being submitted to the db. 4. I use this code to guard against user modified form submissions <cfif NOT len(cgi.http_referer) OR NOT findnocase(cgi.http_host,cgi.http_referer)> <cfabort showError="ACTION ABORTED! PROBLEM DETECTED!"> <cflocation url="../../ErrorMessages/Error.cfm"> <cflocation url="../../OA/index.cfm"> </cfif> 5. I do not allow access (to JS pages) with the Opera browser, I send the user to an error page explaining that that browser is not currently supported.....yet, and I provide them a list of the browsers that are supported. Opera enables the user to overtly by-pass JS. If JS is turned on, Opera tells you this and gives you the option to ignore the JS and continue on with your submission. To fix this (in the next version of my WEB site) I will need to have client side and server checking available, and automatically send Opera browsers to the Server side checking version. I'm sure some of these things can be defeated, but what can you do, you need to protect your web site, and at the same time not drive the users away. Its a balancing act. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275684 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4