I’m creating an application that requires people to login, which requires them to create an account first. Their information is to be sent to a MySQL database using PHP. The create account page requires them to enter their password twice (the second time is an input labelled confirm password). I was thinking of using javascript to check if the passwords matched before sending them to the database. Is that secure? I know the user can see the javascript itself, but I figure it’s safe since it only deals with their password, right?
Why should I not trust the data coming from a form? I’m watching a tutorial on how to make a login page with PHP and it says the same thing, but I’m not sure why. Is it SQL injection?
In addition to what Randall said…
People can submit POST data straight to your backend program, without going through your webpage online form (with it’s JS validation). So this direct POST will not be validated by your JS.
So it’s still important to do/repeat the validation on the server side.
Thanks