On 11/2/07, Stut <stuttle@xxxxxxxxx> wrote: > > Dan Shirah wrote: > > That is correct, the due_date field should only accept a valid date > format, > > such as MM/DD/YYYY. To bypass the need for a validation check for this > > field I simply set the text field to disabled and supplied the user with > a > > javascript popup calendar that upon selection populates the date in the > > format I want. :) > > Client-side limits are not an effective defense against dangerous > inputs. Server-side validation is a must regardless of any client-side > checking that goes on. > this is an excellent point; consider the scenario where someone posts directly to your page, bypasing the client side checks. this is a trival technique; inspect the form attributes; determine the submission url and the submission method. look at the name attributes of inputs on the page; and then build a simple form that posts those inputs to the same url with the same method. -nathan
