Hi, [ I tried to post this yesterday before the other replies came in but it got bounced; here's my initial reply which is pretty much the same answer as those posted since: ]
Aside from turning JavaScript off, hackers won't use a web browser to attack your site, they just send web requests direct to your server without using a browser. You can't rely on client side validation, you must use server side validation as well. I cannot stress that highly enough - client side validation is only something to add on to existing server side validation for those clients who support (or don't deliberately bypass) client side validation. -- Kenny On Sun, Dec 21, 2008 at 11:29 PM, Dan G. Switzer, II < dswit...@pengoworks.com> wrote: > > So, this dude from Poland managed to register without a first name, >> without a last name and likely without an invitation code. I'll deal >> with the EE issues separately, but is there a known issue where >> someone can mess with the jquery in the page to bypass the validation >> that is running? >> > > As David said, client-side validation is purely for the benefit of the > user--it offers no security to your site. All you need to do is to turn off > JavaScript to bypass the validation (however, the spammer is problem just > using a bot to post directly to your submission page.) > > -Dan >