i use remote method of validator for checking if username exists in DB
my scenario:
form with one field (username of course)
i filled field
it passes validation, but i don't sending form yet
going to DB inserting username that i filled in form that i still don't sent yet
returning to my form press on submit btn
voila, it pass validation (here the issue if u don't understand yet)
of course i did validation on the server side too, but it will be great that validation for remote method will fire too when sending form
p.s. i'm using 1.5.5 version but see that this issue still exists
If I'm reading this properly, jQuery is not at fault here.
If this isn't correct let me know. I am imagining a registration form.
I go to your form, enter a username. jQuery says the username is available using the remote validation technique.
Before I click submit, someone else submits the same form with the same username, and gets it.
I can still submit the form, even though I have an already taken username.
This is a classic scenario. A concurrency problem. The data is now stale that was pulled by jQuery validation during my registration. You need to adjust for this scenario in your remote page or make jquery validation run on form submit as well. You could just call validate() on your form in the submit method of your form.
Related
I am using ReCaptcha 2 on a webpage. The user enters the username and password and is validated through an Ajax call. (Of course, the user will need to verify ReCaptcha before clicking the submit button). If the validation fails, I want to give another chance to resubmit data. However, the ReCaptcha validation fails with 'duplcate submission error' It seems that a validated ReCaptcha cannot be submitted again. So my question is -- how can I reset a verified ReCaptcha so that the user could reverify it? I am using JavaScript, jQuery and Vue.js
Use the reset() method, e.g
grecaptcha.reset();
So I have page with simple form. To submit this form I need person submitting to check checkbox (some privacy policy etc).
I have the form like this:
<form role="form" class="form" id="zamowienie" action="send_order.php" method="post">
<button type="button" id="wyslijZamowienie">SEND</button>
<input type="checkbox" id="regCheckbox" value="">
</form>
(Of course, every distracting inputs are deleted.)
Then I have script that shall submit form only after checking the checkbox.
button.on("click",function(){
if ($("#regCheckbox").is(":checked")) $("#zamowienie").submit();
Unfortunately, I found out that user can change localy the button type from "button" to "submit" and he will be able to submit the form ignoring my submit protect script.
And additional question. I am not an expert but I started wandering what else can do user with FireBug or dev tools. Can he perform any attacks this way?
Many thanks for any answers or guidance.
The user is able to change your form in many other ways, not just changing the type attribute of the button, the best is to check it on the server side too, for example, you should do something like this:
Validate via Jquery:
$("#zamowienie").submit(function(e) {
if(!$('input[type=checkbox]#regCheckbox:checked').length) {
//stop the form from submitting
return false;
}
//Continue and submit the form
return true;
});
Validate in the backend:
If you are using PHP in the backend for example, you have to check if the checkbox is checked, with something like this:
Note: Your checkbox need a name attribute, let's say mycheckbox
if (isset($_POST['mycheckbox'])) {
//Process your form
}
else{
//Checkbox was not checked, print an error message or something
}
Always validate your code in the backend, the Javascript validation is just a plus for usability and User Experience.
That's one of the reasons why you always validate on the server.
There's no problem validating on the FrontEnd, but you need a double check from the server so you guarantee that all the data is as you expected.
As for the Firebug/Chrome Dev Tools question, anyone can pretty much edit everything from your FrontEnd. From CSS to JS. Even if you minify it!
Consider that the user can do everything he wants. He can modify everything in your form or even create another one targeting the same url and create a script to submit it 1000 times.
That's why you often read :
Never Trust User Input
This means you have to check the whole request on server side : check the method used, check that the fields you are expected are set with data types that you expect.
To summarize : Front end is just here to help the "usual" user to communicate with your server, but on server side (back end), you have to expect every input possible.
In the simple javascript drop-in UI, when the form is being submitted, braintree.js will intercept the form submission and inserts a hidden field named "payment_method_nonce" into the form, before the submission actually goes to the server.
However, when using the AngularJS as the frontend framework, I generally don't want the form submission to directly go to the server and then do a page reload. Instead, I want my AngularJS function to intercept and deal with the form submission (e.g., via ng-click or ng-submit), AND in its processing it needs to retrieve and use the "payment_method_nonce" value.
I tried it and it can still intercept the form submission. However, it seems like AngularJS intercepts the form submission BEFORE braintree.js does and inserts the "payment_method_nonce" field.
Hence, my AngularJS code that responds to the form submission cannot retrieve that "payment_method_nonce" field and perform appropriate processing. Any suggestions on how I can work around this?
Thanks!
After reading more braintree docs, it turns out registering a paymentMethodNonceReceived callback when setting up the braintree gateway is the right way to go!
Before submitting a form, i use javascript code (surrounded in PHP) in order to make locally some controls but sometimes javascript may not be enabled client-side.
The fact is that I have to check by pattern/regex each control of the form for example checking email, phone number,.. format so that user cannot enter anything haphazardly. Therefore, if javascript is not enabled, the form must not be submitted, even if all field are fulfilled out.
Therefore my question is to know if there is a tag or function which allow to perform what i want to?
Thank for your help
JavaScript runs client-side.
That means that users have FULL CONTROL over it.
Then, if they want to disable it, you can't do anything about it.
The only thing you should do is be sure that users with JS disabled will be able to submit the form too.
If you use JS to validate the form, be aware that users have FULL CONTROL over it, so they can send the form if they want, even if your code says that it's invalid.
The right way to do it is:
Be sure users without javascript can send the form
Implement client-side validation for users with javascript activation. This way they will have a better user experience (because can know if the data is invalid immediately) and is less server intensive (your server will have to validate less invalid forms).
ALWAYS validate the submited form server-side. Data coming from a client is always UNTRUSTED, even if you think you have validated it.
Hi I am using this form validation Plugin to validate a form
http://bassistance.de/jquery-plugins/jquery-plugin-validation/
I need to check one email field valid and it exists in db or not.
any solutions appreciated !
First use that plugin to validate if email field is correct. After that use for example .ajax()-function from jquery to send validated email to server. I don't know what is your backend, so it is hard to say how exactly you should do the backend part, but basicly you need to do database query which checks if email is in the database or not. After that function can return value to client and so on...