Tutorial :PHP - Server Side Validation - Is this a good method?


I have done extensive client-side validation through the help from jQuery. Now come to the server side validation, if I found some fields are not valid, can I simply return an error to client and without any useful message?

My assumption is that the user has to enable JavaScript in order to access my webpage. The user will not see the form if the web browser disabled the JavaScript. I can simply use noscript to do that. If they submit the information through the form I designed, there should be no invalid field submitted to server. Thus, if I found any invalid field in server side, then my form is corrupted by some hacker rather than some regular users.

Does my understanding make sense to you?

< The following message is appended based on comments from many experts here > I am sorry that I didn't mention my question clearly here. I always do server side validation b/c I should not trust any user input.

However, my point here is that whether or not I should pass the server side error message to the user. Since, if a user uses my form and submits the form to server PHP, there should never be an invalid field. If such thing happens, then I assume that some hackers are playing with my PHP. So I would like to ignore them.

The major reason why I try to avoid passing the server side error messages back to client is that I didn't find a better solution to do so. I have posted several related questions here without good suggestion or examples.

< --- END ---- >

Thank you


In your situation, it sounds like you can be fairly certain that valid users won't be hitting PHP validation errors. So you can respond with slacker error messages. You really ought to give some decent indication of what went wrong though. If you don't, you'll regret it one day when the javascript fails for some reason (like you changed it and didn't test well enough).


You should always always have server-side validation.

I would suggest you to have a look at:

The client side validation is always a good idea and you should go for it but server-side validation should be a must and good coding practice.


Client side validation is only for users that actually use your site. Spam-bots, etc can easily omit it, so there always should be validation at the server site. When validation error is occurred a message should be sent back to user, that informs what is wrong.

Never use only client side validation. It can be only an extras.


Server validation is absolute must have for every web application because it's really easy to send fake headers. For example, you javascript do not allow to enter letters to the form, but I can simply send fake headers containing letters, digits etc.


Validation of anything on the client is only useful to help your users catch mistakes like "oh, you didn't give us a Last Name, please go fill that in". Someone such as myself can simply send any request I desire what-so-ever to your server, be able to deal with it, or be ready to deal with a potentially corrupted database and a CD-Rom of your customer's CreditCard numbers floating around Estonia.

Having the server reply with the form depends on how your structure your code-- eg, if it's ajax or whatever. But reporting the problem is always nice to have.


I always send a useful error message back. You will likely need a way for the server to report other error conditions anyway (database errors, etc.).

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »