Page 4 of 4

Posted: Fri Feb 03, 2006 10:59 pm
by WizyWyg
Still There?

Posted: Mon Feb 06, 2006 1:52 pm
by WizyWyg
??? help ??

Posted: Mon Feb 06, 2006 1:54 pm
by Burrito
I'm gonna steal a quote from Feyd here:

"I can only show you the path, you must walk it".

hint: try alerting your msg.length and see what it is....

Posted: Mon Feb 06, 2006 2:10 pm
by WizyWyg
The alert msg length is at 9999 characters. Im still getting unwanted characters through

a-z
A-Z
0-9
@#,.

are the only ones that should be allowed.

Posted: Mon Feb 06, 2006 2:14 pm
by Burrito
WizyWyg wrote:The alert msg length is at 9999 characters. Im still getting unwanted characters through
that's your problem....

Posted: Mon Feb 06, 2006 2:17 pm
by WizyWyg
??? i dont understand.
Please explain

Posted: Mon Feb 06, 2006 2:20 pm
by Burrito
ok figure out the length of this string

Code: Select all

The following fields were either left blank or contained special characters, please fix and resubmit. \n\n
then add a few chars (for padding and insurance), and change your number in your 'if' condition to match that number. Then if the string length is greater than that number, it will throw the alert and the submit will fail.

you will probably need to escape your '-' in your pattern as well....

Posted: Mon Feb 06, 2006 2:27 pm
by WizyWyg
i've set it at 140

% is being allowed (also an unwanted character)
& is being allowed
* is being allowed
( ) are being allowed
+ is being allowed
' is being allowed

Posted: Mon Feb 06, 2006 2:34 pm
by WizyWyg
Now, if i dont complete the State field, it'll submit without the warning message (so if you froget the zip code, it submits without it)

If I complete up to the City field, the warning messages pops up.

Posted: Mon Feb 06, 2006 2:40 pm
by hawleyjr
Wow, Burrito you may have a whole point of your total posts just in this thread...

Couple comments. If you are being so AR with the exact validation of these forms then why are you leaving the validation up to javascript? Also, bumping with ??? help ? or Still there? is not appropriate. If you have to bump after a couple days please bump with something more useful, such as "OK, I've tried this but..."

Posted: Mon Feb 06, 2006 2:44 pm
by WizyWyg
We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.

And the bump is after two days, of it not working. I wouldn't bump if it didn't work after testing out what is not working. I figured the last post already stated that certain characters were still being allowed through was more than enough to know that something is still not working, right?

If it were up to me, i'd be working with a database on the server, but that is a luxury that we dont have and will never implement.

Posted: Mon Feb 06, 2006 2:51 pm
by Christopher
WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
You understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).

Posted: Mon Feb 06, 2006 2:57 pm
by WizyWyg
arborint wrote:
WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
You understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).
can't filter it on the database server. the server is not a 'generic' database, and the only thing it can do is receive email. takes each email and stores it as its own message. the content of each email must be "clean" so that a dump of all the messages will not be impeded. So, whatever I can do on the interface side to reduce the amount of work on the database side ( i dont have access, control or any way of seeing what / how the information received looks) the better it is.

So, now, why is the form submitting without the State field being filled out?

Posted: Mon Feb 06, 2006 3:08 pm
by WizyWyg
**grumble*** stupid cache.

the form now works as it should

Thanks burrito for your help.

Posted: Mon Feb 06, 2006 3:14 pm
by hawleyjr
WizyWyg wrote:
arborint wrote:
WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
You understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).
can't filter it on the database server. the server is not a 'generic' database, and the only thing it can do is receive email. takes each email and stores it as its own message. the content of each email must be "clean" so that a dump of all the messages will not be impeded. So, whatever I can do on the interface side to reduce the amount of work on the database side ( i dont have access, control or any way of seeing what / how the information received looks) the better it is.

So, now, why is the form submitting without the State field being filled out?
Makes me want to write a Greasemonkey script :) :) :) :)