In the front-end, users should be able to see when their input is going to be wrong, so we inform them before they submit.
On the server-side, we need to validate anyway.
Is it meaningful to store a set of regex strings somewhere on the server and use the same set on the front-end? Any doubts?
THESE days, client side if I can't do it with the HTML 5 attributes, I don't bother since again, you HAVE to check it again server-side anyways. It's NOT rocket science to spit a form back at the user for corrections -- and you SHOULD have that coded and working BEFORE you dive for any extra client-side validation anyways be it the HTML 5 attributes and input types, OR throwing scripttardery at it like it's still a decade ago.
As with anything client side, it should be an ENHANCEMENT of working markup and not the only means of functionality.
That and there are a LOT of checks I can do server side you can't do client-side... see my e-mail validation for PHP. Pretty sure you can't check DNS records from JS cleanly.
function isValidEmail($address) {
if (filter_var($address, FILTER_VALIDATE_EMAIL) == FALSE) {
return false;
}
/* explode out local and domain */
list($local, $domain) = explode('@', $address);
$localLength = strlen($local);
$domainLength = strlen($domain);
return (
/* check for proper lengths */
($localLength > 0 && $localLength < 65) &&
($domainLength > 3 && $domainLength < 256) &&
(
checkdnsrr($domain, 'MX') ||
checkdnsrr($domain, 'A')
)
);
}
You're NOT going to match that from JavaScript... and really if type="email" for modern client-side checking is insufficient, you're probably doing something wrong.
Though to be fair, "doing something wrong" describes 90%+ of the bloated non-semantic markup and pointless scripting people are still vomiting up as if HTML 4 Strict never happened. No, most still vomit up HTML 3.2 style presentational thinking loaded down with "gee ain't it neat" scripted rubbish slathered on top, and spent a decade or more mounting a 4 tranny doctype atop it, and now just slop 5 lip-service around the same outdated outmoded inaccessible practices.
See "Bootcrap".
Sidhant Panda
Programmer
In cases where you have to check against existing database entries, you will not be able to validate on the front end. It does sound meaningful to store a set of common regex patterns but validation can not be limited to that.
Common examples would be if you can't enter the same password while resetting it, or you can't re-use last 3 passwords. These kind of things can not be exposed to the front-end.