Simple example, not necessarily related directly to your script.
Let's say that a password change interface verifies in javascript that the user's password is not blank. What is to stop me from turning off javascript, just issuing the HTTP call directly to your script and bypassing your javascript verification? If you do not check it on the server, you cannot be certain that the data is valid.
In short (as was said earlier), the checks on the server are the important ones. You cannot assume that anything on the client has run. The client needs to be considered completely outside of your control. Javascript is only a suggestion for the browser to run something :-). A telnet client (or netcat, or curl, or...) is all that one needs to reach out and touch your server. The checks on the client side should only be used to improve the user experience.
|