Friday, November 2, 2007

Client-Side Protections Can't Save You From Firebug

I keep a long list of inactive holds for library books. When I eventually do want to check out some popular book, I've moved up in the queue considerably. For many of my inactive holds, I'll be first in line as soon as I activate the hold.

So I wanted to active one of these holds today. I logged in to the Seattle Public Library website and went to select today's date from the "change status" drop-down menu. Ack! The 30th was the only available date for November, which is a bug so far as I can tell.

But then I remember the power of Firebug! I opened up the extension's console, added a new <option value="2">2</option> to the date selection menu, and submitted the change. And voilà! I now have an active hold on this book.

If this is indeed just a bug in the options displayed, then Firebug let me work around their problem. On the other hand, perhaps they've changed their policy about activating holds. Or something. In that case, their server-side code is obviously not enforcing the same rules that are evident on the client's side of things.

Moral of the story: Server-side code must enforce all your business rules and validations. Server-side code is your most important line of defense; client-side protections fall prey to modifications by tools like Firebug. This doesn't mean abandon all client-side validations; they have their place. But that place is not to ensure the integrity of the data in your database.

Secondary moral: Keep Firebug handy to have your way with troublesome websites. :)