[devtalk] ASP help
David Precious
dave at preshweb.co.uk
Tue Oct 27 17:29:43 GMT 2009
Portman wrote:
> Right. The way the page is now, JavaScript tests the form for a valid
> email address and responds accordingly. If someone has JavaScript
> disabled or it is a SQL injection attack, the JavaScript tests will not
> work.
Correct - validation via Javascript is just convenience to save the user
a round-trip to be told the data isn't right - you cannot trust the
client to not send you bad data, though.
> Robert, thanks for your code. Will that stop someone putting in
> a at bc.com<script...?
Mostly, yes, as it wouldn't be considered valid. If you re-output the
same input when re-displaying the form, you could still possibly be open
to XSS (cross-site scripting) attacks.
More information about the devtalk
mailing list