Using Javascript To Handle Passwords

I’m creating an application that requires people to login, which requires them to create an account first. Their information is to be sent to a MySQL database using PHP. The create account page requires them to enter their password twice (the second time is an input labelled confirm password). I was thinking of using javascript to check if the passwords matched before sending them to the database. Is that secure? I know the user can see the javascript itself, but I figure it’s safe since it only deals with their password, right?

You can do that check in JavaScript before the form is submitted and then submit the form with JavaScript. However, you really should still validate the passwords match on the backend with PHP. NEVER trust the data which comes from a form.

Why should I not trust the data coming from a form? I’m watching a tutorial on how to make a login page with PHP and it says the same thing, but I’m not sure why. Is it SQL injection?

SQL Injection is one thing and cross-site scripting is another. You have to sanitize any data you receive from a form on the server side. JavaScript can be disabled by the user.

In addition to what Randall said…

People can submit POST data straight to your backend program, without going through your webpage online form (with it’s JS validation). So this direct POST will not be validated by your JS.

So it’s still important to do/repeat the validation on the server side.