Matt Fellows wrote:
What John is saying is that AJAX is JavaScript yes, but it can also
make calls to the server (using the XMLHttpRequest object) thus it
validates using server-side technologies such as PHP.
What you describe is what AJAX actually is; however, the term is often
misused to include any action or change to the page which doesn't
include a page refresh. Whether it's drag-and-drop, or popping up an
error message (especially without a JavaScript alert box), that's AJAX,
or at least according to most clients. It was my impression that Tee was
making that error. So, whether the validation done before leaving the
page was done client-side or server-side via (true) AJAX is irrelevant.
What is most important is that the data is validated AFTER YOU LEAVE THE
PAGE, even if it was already validated before.
But what is misleading is that validation using AJAX can be disabled
quite easily simply by disabling JavaScript rendering a nice big
security hole.
Even with JavaScript working perfectly, it's child's play to send
whatever garbage (or worse) you want to the server. For example, there's
a Firefox add-on, Tamper Data, which allows you to intercept and modify
all calls to the server. So the issue of whether or not JavaScript is
enabled is irrelevant to that "nice big security hole."
That is where the true server-side validation must double-check.
And that's my bottom line.
*******************************************************************
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: [EMAIL PROTECTED]
*******************************************************************