Page 1 of 1
Disabled option
Posted: Mon Aug 15, 2005 8:41 pm
by evilmonkey
I hate IE...I mean, I really hate IE. Look at the following line:
Code: Select all
<option disabled value="" onclick="alert('Please make another choice')">=====</option>
This is a delimiter between two parts of one drop down box. As you can see, there are two technical issues that stop an idiot from putting this in as a value for the drop-down box (the "disabled" and the "onclick"). Unfortunatly, niether work with IE, although both work in Firefox. Unfortunatly for me, IE is what the vast majority of idiots, who'd want to put ==== as a value for thier birthdate, use. So I'm in a hole. My question is, how do I make IE recognize that the "====" value is unclickabe (short of a full-blown PHP check)?
Thanks.

*calms down*
Posted: Mon Aug 15, 2005 8:44 pm
by Ambush Commander
Well, you could just use valid HTML and
group your sets of options...
Besides, what's wrong simply spitting the form back at the user and say "======" is not a valid value? You could even do it with an onSubmit check...
Posted: Mon Aug 15, 2005 8:48 pm
by evilmonkey
I don't want to do onsubmit() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time. I don't understand your first option...can you please explain it for me? Thanks.

Posted: Mon Aug 15, 2005 8:52 pm
by feyd
the HTML form field element <optgroup> .. quite simple..
Posted: Mon Aug 15, 2005 8:54 pm
by evilmonkey
Perfect, that's exactly what I need. Thank you very much Ambush and feyd!

Posted: Mon Aug 15, 2005 8:55 pm
by Ambush Commander
I don't want to do onclick() for the same reason I don't want to do a PHP check: I have a lot of drop-down feilds, and checking all of them would be a waste of processor cycles, not to mention coding time.
Security alarm dings. Seriously? No server validation? Then, my friend, you have a major security problem.
Never trust input from the user.
Posted: Mon Aug 15, 2005 8:57 pm
by evilmonkey
Not even from a drop-down box with a limited amount of values?
Posted: Mon Aug 15, 2005 8:59 pm
by feyd
it's very easy to inject information into where the data would go, so yes.. anything and everything that comes from outside the server (hell even from inside the server) should be validated and verified thuroughly if you want a ~secured computing environment. Plus, you can't rely on Javascript validation as I could easily turn off Javascript running in the browser..

Posted: Mon Aug 15, 2005 9:00 pm
by Ambush Commander
Yeah. In essence, a post is this:
KEY=VALUE&KEY=VALUE&...
You just don't see it. Browsers who comply with the spec will only let you send those values, but you can still spoof the whole POST string. In fact, you can do this with
cURL or SimpleTest's
SimpleBrowser or even just a copy of the form with the SELECT field substituted with a TEXT field.
Posted: Mon Aug 15, 2005 9:02 pm
by evilmonkey
Damn it...Okay, for my project, security is number one because I'm expecting a lot of people to visit the site. No sensitive info (i.e. credit cards, SIN numbers, etc.), but I wouldn't want some script kiddie blowing up my server. I guess I have to do server checks then.
Thanks guys.
Posted: Mon Aug 15, 2005 9:04 pm
by Ambush Commander
However, I must point out: JavaScript checks are *good* (if properly implemented) for high traffic checks: by performing simple validation, they prevent another roundtrip to the server (upload data, parse it, find out it's bad, and send it back). It won't prevent a cracker from sending you bad data anyway, but it will stop the Average Joe.
In fact, Hotmail's registration already has internal JavaScript for checking whether or not a username is used or not (however, I think they implement it in a really obnoxious way).