I have done some research, and I have seen that both client side and server side validation are possible together, (as mentioned in this post). However, I’m not just learning JavaScript, and I want to use Bootstrap for the client side validation, and use bootstraps .is-invalid and .is-valid classes for the server side validation. I heard that PHP was the best language to use for server side validation (Please correct me if I’m wrong on that), so I was going to use php. However my question is, is it possible to get the server to recognize that client-side validation is active so it only sends a request to the server if it is not active? I really only want server side validation as a fallback, in case a user disabled js in their browser or bypassed it some other way.
2
Answers
No, you can’t – the server doesn’t even know if the HTTP request it receives came from a browser or some other type of client. It can’t ever know what was going on in the browser (if any) at the time the request was made.
But that doesn’t matter very much, because the server doesn’t really need to recognise that. If the client-side validation is in place and working correctly, then it would prevent a request being sent to the server if the validation failed.
However if the client-side validation passes then the data will be sent to the server, and the server will still need to re-validate it, because it has no proof that any client-side validation has occurred, and no way of verifying the result of it either.
You can of course choose to present the results of any server-side validation errors in any way you wish – including mimicking the way the same error would be presented by the client-side validation, had it been active. Therefore you needn’t be concerned that it would confuse users, or provide a significantly worse experience (aside from possibly an extra request to the server).
Finally: your server-side validation must be, in your mind, the most important validation and has to be the most comprehensive and robust, because that’s the one that cannot be easily bypassed or disabled. Client-side validation is of secondary importance – it’s just there to enhance the user experience, rather than be the primary enforcer of any rules. If you only consider the server side as a "fallback" option (the way you described it) then you’re asking for trouble.
Sorry, it’s not recommended.
Keep the frontend validation just for user’s experience “and guidance”, you as a developer you should nerver nerver trust user’s input or frontend validation.
Avoid coupling the functionality of the two systems and isolate the decision-making processes of each entity.
Users can easily bypass client-side validation: Disabling JavaScript, using developer tools, or modifying requests can entirely circumvent client-side checks. Malicious users can exploit these weaknesses to submit invalid data even with client-side validation in place.
Server-side validation is essential for security: Never trust user input, regardless of any client-side checks. Server-side validation ensures critical data integrity and protects against potential security vulnerabilities like SQL injection or cross-site scripting (XSS) attacks.
Combining them won’t guarantee good results: While combining client-side and server-side validation can enhance user experience by providing instant feedback, it shouldn’t replace thorough server-side validation. Client-side checks might fail due to various reasons, leaving your application vulnerable.