HTML5 Form Validation with PHP Validation

[SavLE]

Hello,

 

I recently got a little heavier into HTML5 and CSS3, especially when it comes to form design and validation.

My question is with all the new "required" and pattern specification features for passwords like shown here: http://www.alistapart.com/articles/forward-thinking-form-validation/

 

Is it practical to scale back on PHP form validation, or would you use this as just an extra security blanket?

 

Thanks,

Sav

[newseed]

Nothing wrong with security. I actually encourage it.

[Elev8uk]

Backend validation is a must as HTML can be edited on the fly or simply saved to a local host then edited and submitted.

I always at least use a randomly generated token to authenticate the user and ensure the form is only submitted from my servers.

 

A quick example of how the aforementioned form could be hacked would be as follows...

1 - Hacker visits your site and finds a form to play with.

2 - They write a simple javascript function to change your site, on the fly, removing any HTML5 validation put in place.

3 - After the validation has been removed, code is injected.

 

 

You should also white-list any POST variables as injection or tampering is, again, very easy to do locally or on the fly.

 

There are many ways around simple validation such as that used in the list apart's article. They focus on user experience and not security so it shouldn't be seen as such.

 

Some people I know love using JavaScript to validate user input. It's worth remembering that JavaScript can be disabled in the browser so isn't good for security.

 

Getting to the point, albeit long-winded; UX and security should be seen as two completely separate issues.

Have some code to help the user enter the correct data, providing feedback where required (frontend - JavaScript for example).

Have separate code to prevent any malicious users rooting your server (backend - PHP for example).