3 Replies - 558 Views - Last Post: 16 August 2012 - 05:03 PM

#1 xenoslash  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 89
  • Joined: 19-August 09

Should disabling form elements be done server side or client side?

Posted 16 August 2012 - 04:20 PM

I am in this situation where different users will see different kinds of pages depending on whether or not their usernames are listed under a certain group.

An authenticated user would see a form with all input elements enabled.
A non-authenticated user would see the same form, but with all input elements disabled.

I can :
1. use javascript, so when document loads, I would see if user is authenticated (in server side code, make a hidden element which tells me if user is auth, so client side can tell if user is auth or not), then disable all inputs.
2. on server side, but I don't know how to do this easily (without too much typing).
e.g. Have to put this on every line <input <%if(authenticated)%> disabled ="disabled" bla23>

What is the common approach to go with in this case?

Is This A Good Question/Topic? 0
  • +

Replies To: Should disabling form elements be done server side or client side?

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3712
  • View blog
  • Posts: 5,965
  • Joined: 08-June 10

Re: Should disabling form elements be done server side or client side?

Posted 16 August 2012 - 04:35 PM

From a security perspective it doesn't really matter, seeing as client-side code is extremely easily manipulated. However if you do this in Javascript there is a possibility that the script will never run (Javascript can be disabled), leaving all the inputs in their default states.

I suggest you do this server-side. You can reduce the repetitive typing a bit by doing something along the lines of:
// show_form.php
$disabled = " disabled";
if (/* user is authenticated */) {
    $disabled = "";
}
include "form_template.php";


// form_template.php
<form etc="...">
    <input type="text" name="first"<?php echo $disabled; ?>/><br/>
    <input type="text" name="second"<?php echo $disabled; ?>/><br/>
</form>



By the way, in HTML the disabled attribute doesn't have to define a value; it's entirely optional. It's presence alone marks the element as disabled.
// These elements are exactly equal.
<input type="text" disabled="disabled">
<input type="text" disabled>


Was This Post Helpful? 1
  • +
  • -

#3 xenoslash  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 89
  • Joined: 19-August 09

Re: Should disabling form elements be done server side or client side?

Posted 16 August 2012 - 04:42 PM

Thanks for the quick reply!
Hmm.. so there is no avoiding the repetitions huh. I wish there is a way for server side code to access the previously created dom elements like jquery does.

And.. about your first comment, I now have another question :P
When dealing with security stuff, is it common to do checks in two steps?
1. in UI, disable some elements to tell user that they're not supposed to be changing stuff.
2. in server side code, don't trust the information passed on to you from server side code, and always reauthenticate. (I said 're' because the first authentication is done when the UI is first served to the user.)
Was This Post Helpful? 0
  • +
  • -

#4 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3712
  • View blog
  • Posts: 5,965
  • Joined: 08-June 10

Re: Should disabling form elements be done server side or client side?

Posted 16 August 2012 - 05:03 PM

You should never trust user input until you've actually validated it. Always assume your user is either a complete idiot that will do everything wrong, or a genius hacker trying to mess up your site. No matter how the form itself is presented, or how you manage to tag an input field as disabled, it's no problem at all to submit the form with values for those disabled fields. You can do anything from just opening the developer tools in your browser and entering Javascript commands to enable them again, to manually writing the HTTP request. (It's a fairly simple protocol.)

Server-side validation of foreign input (form data, GET data, cookies, some $_SERVER values, even data from foreign databases in some cases) should always be done properly before accepting it.

Quote

I wish there is a way for server side code to access the previously created dom elements like jquery does.

There is. You can just capture the HTML into a string rather than echo it (it's usually pretty simple too when using template engines like Smarty or Twig) and the traverse the DOM in a very Javascript-like way. The DomDocument class is a classic way to do that. There are also things like phpQuery, which attempts to mimic jQuery for PHP code.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1