HTML5 form validation



  • I just discovered the new HTML5 attributes for form validation, and they sure are slick! You can use them for client-side enforcement of required fields, min/max lengths, email validation, and you can even specify arbitrary regexes using the "pattern" attribute.

    But guess what's missing: some kind of field comparison you'd need for a password/confirmPassword pair! HTML5 form validation: only 90% useful!

    None of this stuff supposedly works on Safari, but that might be a feature IMO.



  • Bonus SO wtf:

    Top answer: Don't validate client-side, leave it all to the backend PHP/ASP!!

    Don't worry, I'm doing server-side validation too because shenanigans, but client-side validation just looks and feels better for the non-malicious user.



  • Oh..........wow.


  • SockDev

    Wow.

    Client side validation is teh awesome for user experience but it should always be paired with server-side validation for actual security.



  • "Which level should validation be performed at?" is a trick question. It should be performed at all levels*.

    * - not saying that you need a regex for emails in the DB, but if it's a required field, make the field non-nullable



  • If my page isn't refreshing before telling me it's wrong, I'm not satisfied.


  • SockDev

    Sure, you do as much validation as possible. Isn't that like Computing Common Sense 101?



  • Considering it's being asked on SO? Obviously not.



  • No @Arantor, we've been over this before. This concept is more at the 300 level.


  • SockDev

    The real question is how the fuck did I figure all this sort of stuff out as a kid long before taking any classes on the subject?

    I sure as hell am not a child prodigy.



  • Because real life experience launches you up and over CS100 / CS200 pretty fast.



  • @Arantor said:

    The real question is how the fuck did I figure all this sort of stuff out as a kid long before taking any classes on the subject?

    I sure as hell am not a child prodigy.

    It's not really taught as much as you'd expect.

    That, and so many people are in this field just for the paycheck, not because of any dedication.



  • I'm of the mind that the ability to consider security aspects of a software system is an innate ability. Either you have it or you don't, and those who don't are usually incapable of learning and understanding how to deal with security and validation.



  • I didn't learn anything useful in college that I hadn't already known from personal experience. Except third normal form and relational database theory in general.

    Mostly I was frustrated at the stuff I wanted to learn, but they did not teach.



  • I think that George Carlin explained this best.

    “Think of how stupid the average person is, and realize half of them are stupider than that.”


  • SockDev

    I still continue to be amazed at the lack of consideration for what should be common sense, but then I realise that common sense is really that uncommon.


  • kills Dumbledore

    Only if you're talking about the median. If there are a small amount of really super stupid people (think the kind of intelligence that would make infiniscroll seem like a good idea) that would skew the mean so most people were above average intelligence



  • Infiscroll isn't a bad idea.

    Discourses implementation of infiscroll on the other hand.



  • @jaloopa said:

    Only if you're talking about a population with a distribution where the mean (average) is the same as the median. If there are a small amount of really super stupid people (think the kind of intelligence that would make infiniscroll seem like a good idea) that would skew the mean so most people were above average intelligence

    SPDTFY
    <statistics pedantic dickweeded that for you>


  • kills Dumbledore

    Ooh, you've out pedantic dickweeded me



  • @mott555 said:

    But guess what's missing: some kind of field comparison you'd need for a password/confirmPassword pair! HTML5 form validation: only 90% useful!

    It's missing all validation that involves more than one field (eg. making a field either disabled or mandatory depending on what the value of a radio group is. making two fields mutually exclusive, etc).



  • @Arantor said:

    Client side validation is teh awesome for user experience but it should always be paired with server-side validation for actual security.

    And I had to argue this with a coworker today.



  • Did you use a Cluebat™ or a clue-by-four™?



  • Due to not having finalized specs (much less working product) for most parts of the project and it going to production next week (only 2 weeks behind schedule!) I lost the argument.



  • My ex-employers registration page has some interesting behaviour when JS is turned off or the browser is IE8.



  • And you'll probably be tasked with the fallout/fixing it.


  • Discourse touched me in a no-no place

    It's only a hypothesis that intelligence follows a normal distribution, but given that there's a whole lot of people in the world and a whole load of genetic factors that contribute to intelligence (or stupidity if it is a different allele/methylation), it's a good hypothesis.

    More tricky is the fact that many really smart people are smart enough to not get stuck somewhere taking an intelligence test.


  • kills Dumbledore

    I actually don't mind the infiniscroll here too much. I just wanted to fit in...



  • @mott555 said:

    password/confirmPassword pair

    I'd like to know who started that particular piece of idiocy. Which, on some sites, extends to "enter your email address. 3 times. Just in case... By the way, we've disabled copy/paste."

    Seriously, if you enter your password wrong the first time, just ask for a reset. Stop asking for it twice!



  • In this case, though, having passwords match is just something you do against accidental typos. So doing this validation on the client-side (where 99.9% of people have JS enabled nowadays) is enough IMHO. If HTML5 would allow me to check if two fields match, that would be enough for me.

    Of course, enforcing password complexity is something you obviously [primarily] do on the server.


  • SockDev

    Personally I validate everything both sides, seems easiest.



  • @dkf said:

    It's only a hypothesis that intelligence follows a normal distribution, but given that there's a whole lot of people in the world and a whole load of genetic factors that contribute to intelligence (or stupidity if it is a different allele/methylation), it's a good hypothesis.

    It's certainly not a real normal, if only because there's a left hand limit of zero. I'm sure it's roughly a bell shaped curve, but the tails are going to be weird. And certainly somewhat dependent upon the instrument used to generate the scores.

    Nearly everyone gets the central limit theorem wrong and assumes everything is normal.


    Filed Under: but now we know that everything isn't normal, everything is awesome


  • Discourse touched me in a no-no place

    @boomzilla said:

    It's certainly not a real normal, if only because there's a left hand limit of zero.

    I'm not sure I support that assertion. I've met people with real problems who are down so far that the scale doesn't even make sense. (The individual I'm thinking of both blind and severely autistic. He simply cannot possibly be assessed on any conventional scale. Talk about getting a shit deal from the cards of life.)



  • @dkf said:

    I'm not sure I support that assertion. I've met people with real problems who are down so far that the scale doesn't even make sense. (The individual I'm thinking of both blind and severely autistic. He simply cannot possibly be assessed on any conventional scale. Talk about getting a shit deal from the cards of life.)

    Well, maybe, if you could find an instrument that was capable of going to +/- inf. I suppose brain dead would land you on the -inf spot (or as close as you like). And omniscience ends up the other place. Maybe we should move this to the breaking the laws of physics thread.



  • @PJH said:

    I'd like to know who started that particular piece of idiocy. Which, on some sites, extends to "enter your email address. 3 times. Just in case... By the way, we've disabled copy/paste."

    I refuse to block copy-paste and I'm starting to hate sites that do that since I've switched to KeePass. Even worse are the ones where the username and password fields are on separate pages so KeePass's auto-type feature doesn't work! I just love typing out 3f0b219f2daca37e82258a70ab74b093 by hand!



  • @boomzilla said:

    but now we know that everything isn't normal

    Certainly, everythingone here isn't normal!


  • SockDev

    Fuck normality in the ear with a purple spiky cactus dildo.



  • @mott555 said:

    Even worse are the ones where the username and password fields are on separate pages so KeePass's auto-type feature doesn't work!

    My bank does this, but at least they're not stupid enough to block copy/paste. However, there is a workaround. Type in your username by hand; at least it's usually something you can remember. (Even if it isn't, you can see it in KeePass.) Configure auto-type for that account to type just the password, and use auto-type on the password page. I think I have my bank account configured this way, although I don't actually use auto-type because copy/paste works.



  • Javascript.



  • @mott555 said:

    I refuse to block copy-paste and I'm starting to hate sites that do that since I've switched to KeePass. Even worse are the ones where the username and password fields are on separate pages so KeePass's auto-type feature doesn't work! I just love typing out 3f0b219f2daca37e82258a70ab74b093 by hand!

    Could always just open up your browser's developer tools and paste the value into the field that way. Or if you don't want to do that, use the following piece of bookmarklet script when you have the field you want to paste contents into selected.

    javascript:(function(el){el&&("value"in(el))&&(el.value=window.prompt("Enter\x20or\x20paste\x20field's\x20new\x20value"))}(document.activeElement))
    

    This will open up one of those old prompt window interfaces, which is browser native and will always allow pasting.



  • If there's a way to differentiate between the two pages you can either setup two separate KeePass entries, or change the entry to perform different autotypes depending on the page (it's in the properties | autotype tab).



  • Or sites that have login windows generated by javascript... like Discourse



  • @mott555 said:

    None of this stuff supposedly works on Safari, but that might be a feature IMO.

    "will currently work only in the following browsers: Safari 5, Chrome 6, Opera 9, Firefox 4 Beta and the iPhone/iPad."
    (we are currently at Safari 7.0.6 and it still works, but: No IE in this list)



  • @PJH said:

    I'd like to know who started that particular piece of idiocy. Which, on some sites, extends to "enter your email address. 3 times. Just in case... By the way, we've disabled copy/paste."

    Seriously, if you enter your password wrong the first time, just ask for a reset. Stop asking for it twice!

    Password / Confirm Password is understandable because neither field is (usually) displayed in plain text and is thus the only guard against typos (particularly for account creation).

    Email / Confirm email (/ confirm confirm) email is idiotic because it's nearly always in plain text, and can be visually confirmed.



  • Your problem here is trying to put intelligence and stupidity on the same axis. In reality, if you created a scatterplot showing amount of stupidity generated vs amount of intelligence shown by each individual, your trend line would pass through or near the origin. And the distance between a datapoint and the trend line would represent not intelligence, but judgment.


  • SockDev

    @mratt said:

    Password / Confirm Password is understandable because neither field is (usually) displayed in plain text and is thus the only guard against typos (particularly for account creation).

    Email / Confirm email (/ confirm confirm) email is idiotic because it's nearly always in plain text, and can be visually confirmed.

    And yet, I deal with these issues surprisingly often in real world forums. Funny, huh. Confirmation for email works better than you'd think at limiting problems.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.