I wanted to ask, why is it good or better to have a script print the form than plain html. And what's the difference? When I type:
<form><input type="button" value="button" /></form>
or
<script type="text/javascript">
$form = $("<form></form>");
$form.append('<input type="button" value="button" />');
$('body').append($form);
</script>
What if user disables javascript in his browser?
For security, is the plain html and php enough or should I use javascript to build and validate the registration form?
I will start with your first question .
It's better to make forms in HTML , because in case of disabling the javascript your costumers will get problem using your application .
Secons Question :
Better to use PHP validation , because the javascript can be fooled by a person with basic hacking skills . for exemple after disabling the JavaScript your validation script won't work .
There is no need to generate it with Javascript, all you did was to make it much, much more hard to maintain. When you need to change the form html, it is really annoying to deal with Javascript string literals.
So like i said this is one way to prevent bots from spamming you. It will stop most bots. After implementing this I never had a problem with bots anymore
MySQL
CREATE TABLE IF NOT EXISTS `key_validation` (
`key` varchar(64) NOT NULL,
`date` varchar(32) NOT NULL,
UNIQUE KEY `key` (`key`),
KEY `date` (`date`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
PHP REST Web Service (getKey.php)
<?php
//file that creates a connection to the database
require "db_connect.php";
if($_GET['mode'] == "get_key") {
$key = md5(microtime().rand());
mysql_query("INSERT INTO key_validation (`key`,`date`) VALUES ('$key','".time()."')");
echo json_encode($key);
exit();
}
?>
JavaScript
function insertKeyIntoForm(form) {
$.getJSON('getKey.php?mode=get_key', function(data) {
$('<input>').attr({
type: 'hidden',
id: 'verify_key',
name: 'verify_key',
value: data
}).appendTo(form);
});
}
insertKeyIntoForm('#myFormId');
PHP File the processes the registration
//TODO
//permanently block ip addresses that requests this service more than x number of times a minute
function func_query_first_cell($query) {
if ($p_result = mysql_query($query)) {
$result = mysql_fetch_row($p_result);
}
return $result[0];
}
//to make sure is no spammer
if(func_query_first_cell("SELECT `key` FROM key_validation WHERE `key`='$verify_key'") == "")
exit();
else
db_query("DELETE FROM key_validation WHERE `key`='$verify_key'");
I use to skip form tags altogether, they are ugly, you can only have one action, and you cannot nest them. Instead I use ajax postings in for instance onclick handlers and reload the webpage if necessary in the success handlers of those:
var data = {formvar1:3, formvar2: "foo"};
$.post('/foo/bar.php', data, function(webpage)
{
location.reload();
});
or if the ajax handler returns json:
var data = {formvar1:3, formvar2: "foo"};
$.post('/foo/bar.php', data, function(result)
{
if (result.success)
{
alert("nice work!");
location.reload();
}
else
{
alert(result.message);
}
}, 'json');
Oh, my answer came a bit late so you are free to ignore it. I never care about people disabling javascript because I think they are a myth btw :)
(It is worth mentioning that this stuff requires including jquery)