Disabled option

It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.

Moderator: General Moderators

Post Reply
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Disabled option

Post by evilmonkey »

I hate IE...I mean, I really hate IE. Look at the following line:

Code: Select all

<option disabled value="" onclick="alert('Please make another choice')">=====</option>
This is a delimiter between two parts of one drop down box. As you can see, there are two technical issues that stop an idiot from putting this in as a value for the drop-down box (the "disabled" and the "onclick"). Unfortunatly, niether work with IE, although both work in Firefox. Unfortunatly for me, IE is what the vast majority of idiots, who'd want to put ==== as a value for thier birthdate, use. So I'm in a hole. My question is, how do I make IE recognize that the "====" value is unclickabe (short of a full-blown PHP check)?

Thanks. :D *calms down*
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well, you could just use valid HTML and group your sets of options...

Besides, what's wrong simply spitting the form back at the user and say "======" is not a valid value? You could even do it with an onSubmit check...
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

I don't want to do onsubmit() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time. I don't understand your first option...can you please explain it for me? Thanks. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the HTML form field element <optgroup> .. quite simple..

Code: Select all

<OPTGROUP LABEL="***"></OPTGROUP>
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Perfect, that's exactly what I need. Thank you very much Ambush and feyd!

:D
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I don't want to do onclick() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time.
Security alarm dings. Seriously? No server validation? Then, my friend, you have a major security problem. Never trust input from the user.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Not even from a drop-down box with a limited amount of values?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's very easy to inject information into where the data would go, so yes.. anything and everything that comes from outside the server (hell even from inside the server) should be validated and verified thuroughly if you want a ~secured computing environment. Plus, you can't rely on Javascript validation as I could easily turn off Javascript running in the browser.. :)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Yeah. In essence, a post is this:

KEY=VALUE&KEY=VALUE&...

You just don't see it. Browsers who comply with the spec will only let you send those values, but you can still spoof the whole POST string. In fact, you can do this with cURL or SimpleTest's SimpleBrowser or even just a copy of the form with the SELECT field substituted with a TEXT field.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Damn it...Okay, for my project, security is number one because I'm expecting a lot of people to visit the site. No sensitive info (i.e. credit cards, SIN numbers, etc.), but I wouldn't want some script kiddie blowing up my server. I guess I have to do server checks then.

Thanks guys.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

However, I must point out: JavaScript checks are *good* (if properly implemented) for high traffic checks: by performing simple validation, they prevent another roundtrip to the server (upload data, parse it, find out it's bad, and send it back). It won't prevent a cracker from sending you bad data anyway, but it will stop the Average Joe.

In fact, Hotmail's registration already has internal JavaScript for checking whether or not a username is used or not (however, I think they implement it in a really obnoxious way).
Post Reply