Re: Validing a utf-8 string from search textbox with javascript regular expression

getsanjay.sharma@xxxxxxxxx wrote:
On Jul 11, 2:58 pm, Richard Cornford wrote:
frohlin...@xxxxxxxxx wrote:

Client-side code offers no protection of anything from anything.
Your 'hackers' can knock-out, replace or re-define your
client-side validation with trivial effort (and if they want to
inject something they probably will do so as a matter of course).

I can understand knocking out(disabling it), but how can someone
replace or redefine my own script?

By just doing it. Javascript, being very dynamic, allows object properties to be assigned new values at any time and web browsers facilitate the execution of arbitrary code by the user (at its simplest, by entering javascript pseudo-protocol URLs in the address/location bar). If you have a function called, say, 'validate' and I want to re-define it I just have to write - javascript:void validate = function(x, y){ /* new function body */ }; - into the address/location bar and hit return and now 'validate' is the function I defined. And if you try masking your code inside closures (like Google maps tried) I can still re-define it by getting the source code as a string (from an exposed property, from the SCRIPT element via the DOM and/or from an external file with (in a worst case) an XML HTTP request) replace the sections of that string I want changed and then - eval - the script in the global context to have the changed code replace the original. Or I can write a dynamic script loading javascript URL that will import any arbitrary script from any source, providing the option to replace your code with mine or any (scripted) tools I may need to step outside the limitations imposed upon the javascript pseudo-protocol, and play with the script environment you define to my hart's content.

And all of that is without the options of using dedicated content inserting proxies, 'greasemonkey' scripts in Firefox/Mozilla/Gecko browser or scripting an IE browser instance from windows scripting host (and so side-stepping most security and bringing the 'big guns' of ActiveX that are too dangerous to be allowed to run in normal IE into the game).

The javascript executing on the client is entirely at the mercy of the person sitting in front of the computer on which it is executing, and so client-side code provides precisely zero security.

Richard.

.

Relevant Pages

  • Re: Need help with Server-Side Email Form Validation
    ... I have tried a client-side javascript to validate the fields, ... unless the client browser has javascript disabled. ... cgiemail from the server-side script, ...
    (comp.lang.javascript)
  • Re: header() Function
    ... Basically I have a FORM in my php ... the form, and when everything is good, I call another PHP script to ... You need to use PHP to validate the form responses. ... Javascript validation is a nice user-friendly feature, ...
    (comp.lang.php)
  • Validate only 1 of 2 forms on the same page?
    ... I'm using the javascript ... but I don't know where to put in the script. ... I don't want to do that otherwise I need to change the php action ... It should be a way to validate just a specific form, ...
    (comp.lang.javascript)
  • validate form
    ... i m calling a html file (which contain javascript) with a vbscript ... in order to validate the form i m doing a sendkey "ENTER", ... is it possible that the vbs call the script to validate? ...
    (microsoft.public.scripting.vbscript)
  • VB6 OR VBA & Webbrowser DOM Tiny $50 Mini Project Programmer help
    ... Job is to convert that JAVASCRIPT code into SIMPLE VBA code ... Here's a bookmarklet that will tell you whether or not the browser ... JS sends request to the server (to a PHP script) ... This is the PHP script. ...
    (microsoft.public.vb.controls.internet)