Socialist Sushi

Back in the day it wasn’t unusual to find folks using javascript for webpage security. And by “using” I mean “using it and failing miserably” since it was pretty trivial to get around.

Today I got an email pointing me to a site where I could download an album for free. Yay spiffy. But they wanted me to give em email addresses to 5 friends. That sucks

Fortunately for me, they used ajax for to check it all. So, view source, redefine their validation function in firebug to always return true, then call the function and voila, they’re thanking me for giving them the email addresses.

Couple of points here:

1. It’s not free if I have to give something in exchange
2. Friends don’t spam friends
3. If your uses can redefine the freakin validation routines, it’s probably best not to rely on them for security.

This is why we check form inputs in javascript and on the server. Javascript makes it nicer for the user; the server check makes it safer for us.

This entry was posted on Friday, September 1st, 2006 at 10:05 pm and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.