Tue 12 Feb 2008
I just stumbled on this smokin’ article on PHP Architect’s new C7Y site. It’s really some of the best PHP writing I’ve ever seen - even non-programmers will probably enjoy it…uh…alright I wrote. So please check it out.
I’m about 75% done rolling this into a CakePHP helper. And since Cake is going re-focus on jQuery as it’s primary JavaScript library there will be no excuse for not using it.
Bookmark This Post
Subscribe!
February 12th, 2008 at 11:34 pm
Nice - awaiting the helper - presume it will be Opened?
February 13th, 2008 at 7:42 am
“It doesn’t make sense to maintain two sets of validation rules. Instead, pull the rules from the same source that is used for server side validation and convert them to JavaScript for the client side.”
After taking the time to think and talk this through for about a year, my opinion is that it is never a good thing to reveal server-side logic to the client for convenience sake. Pulling regex rules from the server and putting it on the client gives hackers more information about what data they can enter. Although it is more work, I think that the client should do basic checks and then let the server do the heavy filtering.
Security by obfuscation.
February 13th, 2008 at 5:39 pm
Yes - definitely.
February 13th, 2008 at 6:03 pm
Hey Marc,
Interesting comment. I think you could certainly filter which rules are applied on the client side so that you’re only taking the non-revealing ones. That way they’re still only defined in one place.
This kind of feels similar to the concern raised about the Cake form naming reveals the tables and fields of the database.
February 13th, 2008 at 8:14 pm
Matt, that sounds like a good idea. Being able to chose what rules to expose to the client would make this a better solution in my opinion.
For kicks, I just talked with my boss about it. He said that the, “code validation once and use on both client and server” has been an on-going issue that has gone on since people learned how to code validation on the client. He gave me the example that ASP jumped on this initially, but then realized it as a security issue and now allows you to do separate validation rules on both client and server.
February 18th, 2008 at 11:51 pm
I’d better prefer the JSON dumping in class attributes (and possibly extract with jquery.metadata plugin). But, it needs fixing core