mac at macnewbold.com
Thu Feb 24 14:06:13 MST 2005
Today at 12:48pm, Benjamin Schmuhl said:
> This is a problem we want to overcome. I don't want to use a submit
> can be submitted. Is there any way to have enter validate the form? Do
> I have to put listener events on each form element?
I don't want my reply to be taken in the wrong way by anyone, so know
right now that I mean this in the nicest and most helpful way.
side, it is not guaranteed in any way to be run. It is insecure. It can be
faked, skipped, avoided, disabled, and any number of other undesirable
things. Search engines don't run any of it either, though that doesn't
have much to do with form validation in particular. People can even make a
Before I go further, let me say that client side validation (and other
client-side functionality) has its place. In many cases, it can make the
user experience better by providing faster response than submitting the
form to the server, and it can do things that the programmer thinks
are helpful, like updating other fields as values are selected or entered.
However, because it can be [easily] bypassed, it is of absolutely no use
for guaranteeing that the form submission meets certain criteria. The only
place that can be done is on the server side, where the programmer has
complete control over the data and the validation performed on it.
I've seen horrific things in this regard. One in particular that makes me
credit card would be charged, and the server side blindly accepted
a form that did not have a valid action, so the form didn't have anywhere
to (incorrectly) fashion a GET string, then set the page's location to
of validating things, but when the page was submitted, did absolutely no
validation on the server side. To make matters worse, I saw all three
things on the same site, one that I did not write, but which I was hired
to debug, repair, and complete. I've seen most of those things in plenty
of other places too, at least the client side mistakes.
Another thing to keep in mind is that if your site will not work with
potential users. And I'm not just talking about the wierdos (like
bigdog_ut ;) ) who use Lynx for normal browsing. In the worst case, you're
locking Google, Yahoo, MSN, and the other search engines out of your site.
(If that doesn't matter to you, it probably should.)
still work without it.
A statistic I found recently stated that a significant (10%-20%) number of
browsers. And no, that isn't one of the 93.61% of statistics that get made
up on the spot.
Sorry for the rant/diatribe/flame as it may be percieved. I'm just going
about trying to help people not to make the same mistake that so many
people have already made (and in many cases, are still making).
but back it up with all the same (or better) validation on the server
/me thinks he's going to turn this into an article on the uphpu.org web
Mac Newbold MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com http://www.macnewbold.com/
More information about the UPHPU