What is the need for validation of forms in php?

I am done with validation using javascript for a form in PHP开发者_运维技巧.

When is there any need for PHP validation?

javascript validation in itself ensures that all the fields are filled up. Is there a possibility to check the valid format of the inputs using javascript?

Yes

Client Side (Javascript) validation is only to help innocent users find out any errors in their forms without the need for a trip to the server and page reload.

Server side (PHP) validation is needed to prevent malicious users from submitting malformed queries to your server and gain access to your data.

Please note that client side validation only works on the forms you make. A malicious user can make her own form and submit to your server quite easily - thus completely bypassing your client side validation.

Conclusion: You need both forms of data validation.

Validation with javascript is great for useability, but without server side validation you leave yourself open to malicious input and bad data.

Javascript ensure the validation client-side but:

• could be disabled
• form can be submitted to your server by a "bad guy" from a custom page

so both are required IMHO

In general, a user has control over what data is submitted to a form handler, so you need to validate and sanitize it before it's safe. She might not even use a browser.

Yes, if JavaScript is disabled in client broser then server side validation is necessary.

telnet yoursite.com 80
GET /yourapp.php?name=');drop%20table%20users;-- HTTP/1.1
Host: yoursite.com

Bad things happen when you don't do server side sanitation.

Slightly less important than preventing your site from getting owned by anyone with a little bit of knowledge, not everyone will have javascript turned on, so you want to provide worthwhile error messages for them as well (not to mention, avoiding running with bad data, creating users with empty email addresses or names, as a non-malicious example).

But what is the purpose of using the both validations at the same time? Because it's extra burden for the server for validating the form inputs in php if javascript validation is successful. Can not we use a flag and set or unset it's value depending upon whether javascript validation is successful or not? And if the flag value set we will skip the php validation. Is not it possible? If it's not possible can you explain with a valid real life example? Or can a user modify the value of the flag even if we pass it in header? Waiting for some logical answers. Thank you.