Is Javascript Secure?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi Everyone,

I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue forward unless a certain percentage
range has been met.  To validate the numbers, I am considering using
Javascript as opposed to having the PHP code validate the numbers
because Javascript is faster (it is almost instantaneous because the
validation code is running on the client side and does not have to wait
for a refresh, as would be required for the server-side PHP

My question is: is Javascript secure?  My concern here is that because
the Javascript validation would run on the client's computer, they
could potentially hack it to allow unacceptable financial numbers to be
submitted.  Am I just being too paranoid here?

Thanks in advance,


Re: Is Javascript Secure?

On 7 Jun 2006 09:11:25 -0700, dredge wrote:

Quoted text here. Click to load it

Saw an article on how sql injection was done.
They pulled the web page source to their box, chopped out the code
which tested input, then ran the page localy, injecting sql code to get
database data access.

Quoted text here. Click to load it

Criminals are getting into cracking as a business.
I would be nervious.
Ask the lawyer how much could be sued for poor security code.

Re: Is Javascript Secure?

Quoted text here. Click to load it

That would be a huge (albeit common) mistake.

Quoted text here. Click to load it

No, you are paranoid with good cause!

By using a software web proxy (such as paros or spike) or firefox
plugins like tamperdata it is trivially simple to modify form fields
as they submitted to the server, bypassing all javascript client-side

Nothing will get you around the inconvenient necessity of having to
scrub all form field data on the server side and treat it as
malicious.  Before you develop this application, I strongly recommend
you read the OWASP guide to open web application security:

Specifically to the issue you're discussing is data validation, which
is #1 on OWASP's top ten security threats to web apps:

Quoting that, "A surprising number of web applications use only
client-side mechanisms to validate input. Client side validation
mechanisms are easily bypassed, leaving the web application without
any protection against malicious parameters."

Best Regards,
Todd H. /

Re: Is Javascript Secure?

I agree entirely with Todd.  Client Side Validation is in no way a
substitute for Server-Side.  They can be, and are often are, used
together, because - as you said - it's 'nicer' to get instant feedback
on your submission if you missed a decimal point.  But you -must-
assume the input is bad after the user submits the form and check it

If you want to get fancy, you could write some type of PHP code inside
a PHP variable, and for the Server-Side check eval() it, and for the
client side Javascript parse the variable replacing the few things that
are neccesary to replace (e.g., stripping $'s) and output the parsed
code as Javascript so you don't have to rewrite the PHP, but be careful
how you're handling input in the code you're going to eval - SQL
injection is bad, but if you let a User pull off PHP injection - you're
sunk.  I wouldn't recommend considering this unless your Validation
Code is changing frequently.

Site Timeline