验证问题PHP

I have a form which I am validating on client side for user interaction and server side for data integrity. Now on client side when an input is wrong or empty I show an alert box which shows the error message.Now on the server Side should I run the same checks again(eg Firstname can only be alphabets) or what else should I do?

Yes you should - what if the User has Java Script Disabled?

If you are going to omit the validation anywhere - you should omit it client side.

Of course. You must. Javascript validation is only relevant for user experience, but anybody can send invalid data to your server with small knowledge.

This is a typical form validation problem

  1. on the client (browser), you check the form (e.g. via JavaScript) to kindly help the user quickly (no server exchange) to fill the form correctly.

  2. However, the user may input a mistake / challenge your JavaScript / edit your page / bypass the page protections and controls... so you never trust the user input and must always double check server side the input coming from the user/browser/script, i.e. with PHP.

You should always perform validation server-side to begin with, and only afterwards do client-side validation. (Or vice-versa, as long as server-side validation is implemented).

If it is important to you that first name should only contain alpha characters, then yes you should implement that validation server-side. (off-topic: You shouldn't limit name to alpha characters.)

Yes, just as you've written: check again, because client validation can be avoided. Do the same check as you do at clientside validation and output errors if input isn't valid.

And remember: filter&validate input, escape output.

No matter how much validation you have on Client side, you must do so at Server side also. Any malicious user can by pass the client side validation and send data to server.

One good practice is to use the server side script for client side validation using Ajax, unless that data being checked is too heavy, which isn't usually the case.

Yes, yes and Yes - of course!

If you have the time i would encourage to implement at least the following:

  1. Make use of up-to-date Browser Form Validation feautures http://diveintohtml5.ep.io/forms.html#validation
  2. (if 1 is not possible and in addition) Run your JS Validation on the submit event
  3. Run a Check and Pass Errors along to the View in your Application Logic
  4. Do a Check and Throw Exceptions in your Bussiness Logic

You should always validate all data on the server side.

User-side validation is part of providing a better user experience as pinusnegra stated; it also helps keep resource usage on the server lower (since many of the requests validation is done on the client side). However, it does not substitute for server validation if a user has javascript disabled or is maliciously trying to tamper with your web application.

Do this little experiment: navigate to one of your forms where you're applying javascript validation and then:

  1. save the source (view source option of your browser) to a local file
  2. change the form action url to the correct one (with full domain instead of just /path/to/my/serverscript/)
  3. remove all the javascript validation
  4. submit erroneous data (i.e. only numbers on First Name)

After that, you now have faulty data in your database. I hope that clears the point.