javascript form vaildation doing it right!

When using Javascript for form validation, there is a right way, a wrong way, a very wrong way, and a suicidally wrong way! Unfortunately many sites use one of the wrong ways, including even some which claim to be form-validation tutorials. This page tries to help people in the right direction.

• The suicidally wrong way is to have the validation in Javascript only, and not on the server. A malicious user can easily bypass it and – depending on what you are doing – may wreak havoc with your database. Apparently there have been cases of online shops shipping computers for $1 because they had no server-side validation!
• The very wrong (but all too common) way is to simply assume the user has Javascript. Readers who have disabled it (and there are several good reasons for doing so) or who do not have it available, spend their time filling in the form and then find nothing happens when they click the submit button.
• The wrong way is to give the non-Javascript user, or the user of a browser other than IE or Netscape, a terse message telling him he can't use your site.
• The right way (got there eventually!) is to use Javascript as an optional extra to improve user-friendliness. All form submissions are validated on the server. If the reader has Javascript available, an initial validation is done on the client, to check for simple errors such as missing information or non-numeric characters in a numeric field. This means the reader gets faster feedback than waiting for a response from the server.