It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.
<option disabled value="" onclick="alert('Please make another choice')">=====</option>
This is a delimiter between two parts of one drop down box. As you can see, there are two technical issues that stop an idiot from putting this in as a value for the drop-down box (the "disabled" and the "onclick"). Unfortunatly, niether work with IE, although both work in Firefox. Unfortunatly for me, IE is what the vast majority of idiots, who'd want to put ==== as a value for thier birthdate, use. So I'm in a hole. My question is, how do I make IE recognize that the "====" value is unclickabe (short of a full-blown PHP check)?
I don't want to do onsubmit() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time. I don't understand your first option...can you please explain it for me? Thanks.
I don't want to do onclick() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time.
Security alarm dings. Seriously? No server validation? Then, my friend, you have a major security problem. Never trust input from the user.
it's very easy to inject information into where the data would go, so yes.. anything and everything that comes from outside the server (hell even from inside the server) should be validated and verified thuroughly if you want a ~secured computing environment. Plus, you can't rely on Javascript validation as I could easily turn off Javascript running in the browser..
You just don't see it. Browsers who comply with the spec will only let you send those values, but you can still spoof the whole POST string. In fact, you can do this with cURL or SimpleTest's SimpleBrowser or even just a copy of the form with the SELECT field substituted with a TEXT field.
Damn it...Okay, for my project, security is number one because I'm expecting a lot of people to visit the site. No sensitive info (i.e. credit cards, SIN numbers, etc.), but I wouldn't want some script kiddie blowing up my server. I guess I have to do server checks then.
However, I must point out: JavaScript checks are *good* (if properly implemented) for high traffic checks: by performing simple validation, they prevent another roundtrip to the server (upload data, parse it, find out it's bad, and send it back). It won't prevent a cracker from sending you bad data anyway, but it will stop the Average Joe.
In fact, Hotmail's registration already has internal JavaScript for checking whether or not a username is used or not (however, I think they implement it in a really obnoxious way).