Cornish: SeriousMatters: no. this is the first line validation, then do sanitization on the server side
Kofler: Validation + sanitization = a secure form
Roble: Validation is just checking to make sure the inputs are in the correct formats. The sanitizatin is what would ultimately “clean” your stuff and avoid hack attempts. You can do validation on both levels if you really want to if you think your every day browsers will browse with no JS – which is unlikely
Hodgdon: Validation on the client side, IMHO, is more valuable to the actual user of your website. It provided added value to the person actually trying to submit data into the form properly
Wolner: Of course I expect clients have js on and I agree it adds usability values. but hackers can go into js console/firebug and do malicious things, making it unreliable for security purpose.
Belezos: Moreover, the plugin that I’m currently working on REQUIRES server side validation since it deals with third party service that can only be done with curl or similar.
Salamone: Anyone using the wp api v2?
Lovero: SeriousMatters: my point is even if there is no form VALIDATION you have form SANITIZATION
Digiacinto: Which will clear any hack attempts. Validation is more about input patterns.
Peterkin: If you are using validation for security you’re doing it wrong. You need sanitization for security.
Starrett: Well, you SHOULD have both, but sanitization is where it’s at. That is what will ultimately block ANYTHING that looks malicious
Leehan: But like i said. you CAN do client side and then server side if you feel you must
Balling: You can also use real-time ajax form validation which is going to do a bit of both
Pergola: Gapen: do you mean this http://pastebin.com/Jh3GmyMS from within the single.php
Hornish: LindsayM_: I will probably do both js and server validations. js to catch basic formatting errors like wrong url or email formats. But I still need to run server side validation to check the values can actually be used to connect to third party service.
Jaecks: Why not just use ajax for that?
Averett: Also, i dont understand why you wouldnt just make sure the inputs are properly set for your 3rd party service in the initial validation
Timmerman: SeriousMatters: *malicious user
Galecki: There’s a monumental difference
Hadland: Sexywoodenspoon: thanks for correcting my terminologies.
Pasternak: If a malicious user gets p***ed the initial validation then you dont have to check if it’s a valid 3rd party request because its already a malicious attempt. just kill it right there with sanitization
Stoneking: Sexywoodenspoon: I hope you understand where I am coming from?
Caligiuri: SeriousMatters: I understand yeah but that’s like calling a guy with a hammer a murderer because 2/10 folk that have hammers murder people. with. hammers.
Bracklin: SeriousMatters: I hope you can understand where I’m coming from?
Scarlato: The current WP behaviour is to save all valid field input and leave invalid fields as original values, then shows the form with original values along with error messages.
Grambo: What “default form” are you speaking of?
Gruenhagen: LindsayM_: eg. /wp-admin/options-general.php
Mutana: Try to enter a valid new site title and a new invalid email. the site title get saved but email field returns to original value with error message.
Ardoin: The expected behaviour is Edwin get saved and I get the form with all the invalid values I entered along with errors.
Sallie: SeriousMatters: enter it where? what are you talking about?
Allsbrooks: The WordPress General Settings page
Moroles: SeriousMatters: Ok so you’re working on adding a field and validation and sanitization on custom settings fields on the settings page ?
Hatke: Anyone here used the woocommerce CSV import suite before?