homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

Effect of an empty field on form submission

 8:52 am on Sep 20, 2006 (gmt 0)

From the HTML spec

If a control doesn't have a current value when the form is submitted, user agents are not required to treat it as a successful control.

Would I be right in thinking that this means that it is legal for an empty text field to be either included or not included in a form submission?



 9:09 am on Sep 20, 2006 (gmt 0)

Reading the quote, it implies that empty controls can be ignored when submitting for data.

My experience is that typically they send name= : I would prefer it to be otherwise.



 5:13 pm on Sep 20, 2006 (gmt 0)

I use forms a lot and rely on "" to mean something was deleted. I've never had issues. And by the way is " " not empty? You could try placing a value=" " instead of value="" as a default and see if that insures your empty value.


 10:51 pm on Sep 20, 2006 (gmt 0)

And by the way is " " not empty?

No, " " is not an empty string.. the space counts.. an empty string would be a totally blank empty box. When validating a form entry for a required field, it's always helpful to trim the string (remove whitespace from beginning and end) then check if the string is empty again, to avoid blank submissions.


 10:14 am on Sep 21, 2006 (gmt 0)

sharbel: interesting point that I'll bear in mind when checking for valid input.

pixeltierra: What I'm concerned about is that the spec appears to leave open 2 possibilities for submitting empty values.

i) a=a_value&b=&c=a_value
ii) a=a_value&c=a_value

I was wondering whether either of the above can be relied upon to always be the case? Does it change according to method? I'm using POST.

It was curiousity mainly. I can easily code to allow for both possibilities and I think it would be safer to do so. Even if one can be relied upon today you never know what a new user agent might do tomorrow!


 2:23 pm on Sep 21, 2006 (gmt 0)

Yes, you should code to allow for both possibilities, and more. Anyone can POST any name/value pairs to your form script. If you gave me the URL of your form, in a few minutes I could make a form on my own computer that would POST a=a_value&c=a_value&d=myownvalue&f=someothervalue to your form processing script. Easy as pie, anyone with the most rudimentary skills can do that.

Always check user input. Check for fields that you expect to be there, and write your code so that it ignores anything you don't expect to be there.


 12:48 pm on Sep 22, 2006 (gmt 0)

Even that isn't necessary these days for probing. Just a copy of Firefox and the UrlParams extension is what I generally use for testing my forms.

This one however is going to be a mega pain in the backside to test as I'm specifically coding secure forms where the fieldnames change every time you load the form and each set of names can only be submitted to once.

I don't think anybody has actually exploited my current forms yet but I've certainly seen a few exploratory manouvres.


 1:05 pm on Sep 22, 2006 (gmt 0)

secure forms where the fieldnames change every time you load the form and each set of names can only be submitted to once

Do you need to go to such lengths? A single hidden field value will do the same job, surely. Personally, though, I'd use session variables.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved