I've been in a few situations now where it seems a browsers dev tools and the ability for anyone to freely view/edit/add had the potential for something undesirable to happen.
Example one... A button that has an event, that triggers a function, that may run ajax, which runs a php script that may communicate with your database... User goes to dev tools, removes disabled tag from the html, and the button can freely trigger the button.
Example two...
Ok, continue from example one, but lets say that the programmer just completely removes the button from the html, instead of disabling it. What stops a user that understands dev tools from going in and just creating a <button id="whatever">Do Bad Things</button> if a function already exists in the "viewable" source code javascript that anything can view to find the event trigger they want to, determine how its triggered, and then match that with the added html button. (is this possible, it seems possible, I could be wrong.)
I guess I am just curious if there is a standard to prevent these types of things to happen, especially in the case where users don't want a button completely removed, they would prefer the button is viewable, just not usable.
Is it bad code if you don't protect against this? or is it necessary to completely protect yourself from all ends, by adding logic that double or even triple checks in your php scripts to ensure that things are not being bypassed by unwanted measures? I mean, I know its obvious to protect your php with logic as well, but is there a standard to follow, or best practice to prevent these types of scenarios?
Any information would likely be helpful. Thanks!
After a bit more research and the replies here I was able to determine that the client side is never really safe from manipulation. Although adding protection client side can be useful, it is not a means of true safety. You MUST 100% validate server side as well to be protected. Thanks.
Similar posts I found that had more comments/answers I was able to read from.