The login script has two methods of validating form data. The first is the JavaScript code that ensures that the user fills in all the data that is required. Then a secondary level of validation is added. This time, PHP does its own checking. and only then will this data be passed to the application.

JavaScript in itself is not a true security measure, but rather a convenience and also an extra layer of security. This is because JavaScript is a client-side technology (as opposed to PHP, which is server side). It saves the user the hassle of having to submit the form to the server, having it checked by PHP and then sent back if errors occur. What happens instead is that JavaScript checks the form data locally and if the checks are okay, it then sends the information to PHP. There is a small price for this convenience; the PHP file becomes a bit larger in size.

So why do we need PHP to check the form data if JavaScript does it in the first place? Because, as I’ve already stated, JavaScript is not a security measure in itself, for the simple reason that it can easily be turned off, rendering the code completely useless. The JavaScript code in our form primarily checks to see if the username and password fields in the form are filled in. If so, the data is sent to the PHP script; otherwise, a message box is displayed, alerting the user to the error:

if(pform1.pw.value=="" && pform1.uname.value==""){

alert("Please make sure that you have entered your username and password")

return false

}

In the code above, the pform1 refers to the form name and the pw refers to the form field name. The same applies to the uname.value line. The alert message is what the user will see if the form fields are empty.

In the next article we will continue to explore the login page and also discuss the benefits of authentication from a security point of view.