Is it possible for user to submit a form if submit button is disabled? (Asking because of PHP validation)

When my form loads on the page, the submit button is disabled by default. Is it possible for a user to submit the form with this submit button disabled? (Either maliciously or by accident.)

I ask because I have the form information being validated by Javascript upon submit, but I of course开发者_运维问答 am validating the information in my PHP script. That being said, do I need to really validate that information on the server side? The submit button becomes enabled via Javascript. So, if a user disables JS (thus getting by the JS validation), can they even submit the form? My guess is no, but I am looking for a firm answer.

If the answer is no, then I don't really need to do the PHP validation because the user CANNOT get by the JS validation, correct?

Thank you!

Yes, the person can "submit the form" even if it is disabled. He can submit it even if there is no form at all. He can simply send an HTTP request to the page that processes the form with the needed fields. It is highly discouraged to rely on JavaScript for validation.

A user can bypass a disabled submit button, and any client side restrictions for that matter. There is no such thing as client side security. To deal with hackers, you must always put your validation on the server side. Client side validation is just for appearances.

To be specific, they could bypass the disbaled submit button in the following ways:

• Enabling it via a JavaScript console (e.g Firebug)
• Enabling it via editing the DOM.
• Just sending an HTTP request directly without using the form

Yes. There are a number of ways. If the form has a text field, it can be submitted using the return button (unless you actively prevent that using JavaScript). Also, any halfway clever user can use FireBug or some other tool to edit the source of your page on the fly and enable the submit button if they like.

You need to validate on the server side also. Just in case if javascript is off in the client side, or he tampers with the code using firebug and other similar tools.

Assume the user has complete control of the client side, and can read and write whatever he wants over the network using browser/scripts/command line apps/etc...

This means you must validate server side to be sure of sanitized response.