Perl output Javascript to validate user input

[phal]

HI ALL,

I know javascript is used for client site, and javascript to validate
user input can be done easily in the client site. I believe that in
server site the validation must be faster under Perl script.

My question:

If we embed Javascript within Perl script to validate user input, does
it faster or better?

As what I understand, I feel the method will bring the server more
work, because the Perl script has to decipher the Javascript before the
Javascript can do its work.

Any idea about this

 

[xhoster]

HI ALL,

I know javascript is used for client site, and javascript to validate
user input can be done easily in the client site.

The client can always bypass the javascript validation, and thus the server
also should validate the user input even if the client already does, at
least as far security and safety is concerned.

I believe that in
server site the validation must be faster under Perl script.

Why do you believe that? Do you mean that Perl must be faster than
JavaScript when both are on the server side, or that Perl on the server
side must be faster than JavaScript on the client side?

My question:

If we embed Javascript within Perl script to validate user input, does
it faster or better?

Which is faster can be measured. You can use Perl's LWP, or Linux's "ab".
It would depend on what exactly your validation method is how they are
implemented in each language, not to mention how you are embedding
JavaScript into Perl. How would you go about embedding the Javascript
within Perl? Which is better is naturally a matter of opinion. I can't see
myself considering JavaScript better than Perl at much of anything. But
here, I might make an exception. If you must to client-side validation
using JavaScript, and also do the same validation on the server side, it
might be nice to avoid having to write the same validation in two different
languages.

As what I understand, I feel the method will bring the server more
work, because the Perl script has to decipher the Javascript before the
Javascript can do its work.

Well, perl already has to decypher Perl before it can run it, it is not
obvious that decyphering the javascript too will have a non-trivial impact.
Try it and see. But if you are so concerned about speed, you should
already be using mod_perl or something like that which prevents repetitive
compilation, right?

Xho

 

[J. Gleixner]

HI ALL,

I know javascript is used for client site, and javascript to validate
user input can be done easily in the client site. I believe that in
server site the validation must be faster under Perl script.

My question:

If we embed Javascript within Perl script to validate user input, does
it faster or better?

As what I understand, I feel the method will bring the server more
work, because the Perl script has to decipher the Javascript before the
Javascript can do its work.

Any idea about this

The CGI doesn't decipher Javascript, or have anything to do with
Javascript, it'll simply processes the request and data that's sent to it.

Validation has to be on the server, since anything could post data, not
just a browser with, or without, Javascript enabled. Try to do
validation on the client-side, using Javascript, to improve your user
experience.

 

[Matt Garrish]

HI ALL,

I know javascript is used for client site, and javascript to validate
user input can be done easily in the client site. I believe that in
server site the validation must be faster under Perl script.

My question:

If we embed Javascript within Perl script to validate user input, does
it faster or better?

You can't embed javascript directly in your Perl code and have it run by
perl. Are you talking about using Javascript.pm? I only skimmed it once out
of interest, but there's no chance that it will be faster than writing your
validation functions in Perl. It's just an interface to the libjs library,
so getting libjs to interpret and run the code and pass back whether the
value is good or not would, just from common sense, be incrmentally slower
than just testing the value directly.

Matt

 

[phal]

I want to do the following,

First method:

1- Generate Html from Perl script for user input form,
2- After user input, the javascript which embed with Perl script to
check validate in the client side
3- When the validate is okay, the user input will store in the
database.


Second method:

1- Generate Html from Perl script for user input form
2- User input will be validate in the server side by Perl Regular
Expression
3- If it is valid, the user input will save into the database.

Third Method:

1- HTML form along with Javascript display to user
2- User input will be validate in the client side by javascript before
pass to CGI script
3- If valid, then it will save the user input into the database.

I think the third method is more faster then other method, but it has
one problem if the javascript disable in the client.
How do you think about the best method to implement this?

 

[Matt Garrish]

I want to do the following,

First method:

1- Generate Html from Perl script for user input form,
2- After user input, the javascript which embed with Perl script to
check validate in the client side
3- When the validate is okay, the user input will store in the
database.


Second method:

1- Generate Html from Perl script for user input form
2- User input will be validate in the server side by Perl Regular
Expression
3- If it is valid, the user input will save into the database.

Third Method:

1- HTML form along with Javascript display to user
2- User input will be validate in the client side by javascript before
pass to CGI script
3- If valid, then it will save the user input into the database.

I think the third method is more faster then other method, but it has
one problem if the javascript disable in the client.
How do you think about the best method to implement this?

The best method is always to validate on both sides. You can't trust that
your input will come from a browser, so never blindly assume that because
your script is processing it it must be valid. It will also minimize your
server load to validate on the client side, and users generally prefer to
know right away that their input is invalid and not wait for the server to
process the page and send it back every time. Use javascript for the client
and perl on the server and get the notion of mixing languages together out
of your head.

Matt

 

[xhoster]

I want to do the following,

First method:

1- Generate Html from Perl script for user input form,
2- After user input, the javascript which embed with Perl script to
check validate in the client side

So the Perl script merely prints out the Javascript source, along with the
rest of the html? This is not what we generally call "embed". Embed
generally means you are running the other language, not merely printing out
source code written in the other language.

3- When the validate is okay, the user input will store in the
database.

How do you know that the validation is truly OK? Or doesn't it really
matter? If the end-user can only screw themselves by circumventing
javascript to get bad data put into the database, maybe this is OK. But if
they can screw you or other people by doing so, then this is not OK, you
need to validate on the server.

Second method:

1- Generate Html from Perl script for user input form
2- User input will be validate in the server side by Perl Regular
Expression
3- If it is valid, the user input will save into the database.

This is the method I generally use. I can write the validation methods
in the language I prefer, and it is done in only one place. And it doesn't
depend on what the client-agent is.

Third Method:

1- HTML form along with Javascript display to user
2- User input will be validate in the client side by javascript before
pass to CGI script
3- If valid, then it will save the user input into the database.

What is the difference between the Third Method and the First Method?
Is it merely that in the 3rd case the html form (with javascript) is served
from a static file rather than from a CGI?

If you are justly concerned with speed, then you should serve as much as
you can from static files rather than from CGI.

I think the third method is more faster then other method, but it has
one problem if the javascript disable in the client.

Uh, the 1st method has this problem as well.

How do you think about the best method to implement this?

I think you are probably overly infatuated with speed. And if it is
justified, then you need to provide more info before we can tell you
anything worthwhile. How many hits per second are you expecting? What
percentage of attempts to be expect to be invalid? Are the users mostly on
an your intranet, or broadband, or dial-up? What are implications of bad
data? Are you using mod_perl? How good is your team at JavaScript? At
Perl?

Xho

 

[Mark Clements]

I want to do the following,

First method:

1- Generate Html from Perl script for user input form,
2- After user input, the javascript which embed with Perl script to
check validate in the client side
3- When the validate is okay, the user input will store in the
database.


Second method:

1- Generate Html from Perl script for user input form
2- User input will be validate in the server side by Perl Regular
Expression
3- If it is valid, the user input will save into the database.

Third Method:

1- HTML form along with Javascript display to user
2- User input will be validate in the client side by javascript before
pass to CGI script
3- If valid, then it will save the user input into the database.

I think the third method is more faster then other method, but it has
one problem if the javascript disable in the client.
How do you think about the best method to implement this?

Check out

CGI::FormBuilder

it handles both client-side and server-side input validation.

Mark

 

[phal]

I really concern about the speed, and also the validation between
client and server.
As what everyone sugguest, but do you think it is slow down if I use
perl to generate the Javascript along with html form for user input,
and do the validate in the client side, and then I re-check again in
the server. I think it is duplicated, but secure then just a single
way,

For Mark say, I never try to use CGI::FormBuilder,.

 

[xhoster]

I really concern about the speed, and also the validation between
client and server.

If you know enough to know that you need to be concerned about the speed,
then you should probably know enough to be able to tell us what the
bottleneck(s) are. Network bandwidth? Network latency? Server CPU
resources?

As what everyone sugguest, but do you think it is slow down if I use
perl to generate the Javascript along with html form for user input,

From a CPU perspective, once you are already starting up Perl in order to
generate the form, you may as well also use it to generate (By which I mean
print out a hard-coded string containing the javascript source) the
javascript, unless you have megabytes of javascript. But if you are
worried about the load on your web-server, you shouldn't be using Perl to
generate html that can be done statically, anyway.

On the other hand, if network bandwidth is limiting, then sending
javascript is going to slow you done, rather it is done with Perl or from
static files. Of course, if bandwidth is limiting then receiving invalid
submissions and returning the error messages and re-submitting the
corrected data is also going to be slow. I think the bloat of javascript
is likely to take up more bandwidth than an occasional invalid form, unless
your forms are very large or you users are just banging on their keyboards
at random.

and do the validate in the client side, and then I re-check again in
the server.

I think it is duplicated, but secure then just a single
way,

If you validate on the server (correctly) then also doing so on the client
does not add to security. It may enhance the user experience (eliminate
round trips, provide nicer error messages, etc), and it may reduce server
load (although it is hard to beleive that that would be significant), but
it wouldn't increase security.

Xho

 

[phal]

Thank you all for the suggestions, currently, I use localhost to test
the script. The script will be used for university campus for Intranet
exam or perhaps for the Internet exam for only the University, I not
very sure about the speed of the Server. Usually, the server slows down
when all the students go for the assessments.

The purpose of the CGI script is to display dynamically of the
questions bank in the database, and do all the validation of the short
essay and answer choice for the students who do the assessment. It is
also used for upload the questions and answers.

I think to maximize the usage of speed, and also the security concern.
It is problematic for duplicate doing validate in both the client and
server. I think it is enough to make it only in server side and display
a nice error to user, but as someone suggest me to do it both sides to
make it more secure then just as single way.

I have think off to do it in both direction, using Javascript and Perl,
I need to include all the Javascript in the Perl if I need to do the
validation in client side too.

How can I maximize the use of Javascript inside Perl? Is it possible
to generate the Javascript separately then include inside Perl?

I have one idea to do with that, but I do not know whether it is
possible or not, using Perl script to generate all the Javascript
separately and then using Perl script to call the javascript. I think
it may help to prevent the entire headache from the input which only
depends to the server.

I also use perl_mod.

 

[Joe Smith]

The purpose of the CGI script is to display dynamically of the
questions bank in the database, and do all the validation of the short
essay and answer choice for the students who do the assessment. It is
also used for upload the questions and answers.

The usual thing to do is to have Javascript verify that all required
fields have suitable values entered _before_ the the form is submitted
back to the server. For example, if an input field requires a five
digit number, verify that the string is five characters long and consists
of only digits. That is, check the form of the data, not the answer.

It is not appropriate to see if the answer is correct on the client
side, since the code that does so can be seen via "View Source", allowing
for cheating.

I think to maximize the usage of speed, and also the security concern.

From what you've posted, worrying about speed should not be your
primary concern.

It is problematic for duplicate doing validate in both the client and
server. I think it is enough to make it only in server side and display
a nice error to user, but as someone suggest me to do it both sides to
make it more secure then just as single way.

Client validation and server validation have different uses.
It is not one-for-one duplication, and not wasted effort.

I have think off to do it in both direction, using Javascript and Perl,
I need to include all the Javascript in the Perl if I need to do the
validation in client side too.

Not at all. One method is to put a single line of text in Perl to be
sent to the browser, like:

How can I maximize the use of Javascript inside Perl? Is it possible
to generate the Javascript separately then include inside Perl?

I'd say don't use Javascript inside Perl. Write your Javascript functions
separately and store them in separate files, as shown above.

I have one idea to do with that, but I do not know whether it is
possible or not, using Perl script to generate all the Javascript
separately and then using Perl script to call the javascript.

No, no, no. You don't have to have the Perl script call the Javascript;
you merely generate HTML that causes the client's browser to execute
the Javascript. '<script src="...js">' is one way of doing that.

1) Client sends request to server for the next exam question.
2) CGI program on server sends HTML to the client, in the form of
constant strings, generated text, and/or URLs the client
will need to fetch on its own.
3) When the user clicks on a Submit button, JavaScript running on
the client decides whether to send the form data to the server,
or to prompt the user to enter missing information.
4) The form data being sent to the server may or may not have be
the result of correct JavaScript execution. The user may be
running a hacked client that is deliberately sending bad data.
5) The server must do its own validation, including crucial checks
that were not included in the client-side JavaScript.

it may help to prevent the entire headache from the input which only
depends to the server.

Unless you are willing to accept bad or fraudulent data, you _must_
do validation on the server. Period.

 

[Rich]

On 6 Apr 2006 14:09:48 -0700, phal wrote...

Thank you all for the suggestions, currently, I use localhost to test
the script. The script will be used for university campus for Intranet
exam or perhaps for the Internet exam for only the University, I not
very sure about the speed of the Server. Usually, the server slows down
when all the students go for the assessments.

The purpose of the CGI script is to display dynamically of the
questions bank in the database, and do all the validation of the short
essay and answer choice for the students who do the assessment. It is
also used for upload the questions and answers.

I think to maximize the usage of speed, and also the security concern.
It is problematic for duplicate doing validate in both the client and
server. I think it is enough to make it only in server side and display
a nice error to user, but as someone suggest me to do it both sides to
make it more secure then just as single way.

I have think off to do it in both direction, using Javascript and Perl,
I need to include all the Javascript in the Perl if I need to do the
validation in client side too.

How can I maximize the use of Javascript inside Perl? Is it possible
to generate the Javascript separately then include inside Perl?

I have one idea to do with that, but I do not know whether it is
possible or not, using Perl script to generate all the Javascript
separately and then using Perl script to call the javascript. I think
it may help to prevent the entire headache from the input which only
depends to the server.

I also use perl_mod.

You might be better off using a combination of the two, though I'd at least
start with the error checking on the server end with Perl. Javascript can make
form validation pretty, by creating dynamically changes to the HTML without
communicating with the server, but it has its limitations. In the end, you want
to be able to check the form data with Perl, since Javascript doesn't guarantee
that it will be sent in correctly or in a secure manner.

Rich

--
Free download capacity each month, just for being a NewsGuy
member! BonusBytes(TM) - http://newsguy.com/bonusbytes.htm


--