Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
If a control doesn't have a current value when the form is submitted, user agents are not required to treat it as a successful control.
Would I be right in thinking that this means that it is legal for an empty text field to be either included or not included in a form submission?
And by the way is " " not empty?
No, " " is not an empty string.. the space counts.. an empty string would be a totally blank empty box. When validating a form entry for a required field, it's always helpful to trim the string (remove whitespace from beginning and end) then check if the string is empty again, to avoid blank submissions.
pixeltierra: What I'm concerned about is that the spec appears to leave open 2 possibilities for submitting empty values.
I was wondering whether either of the above can be relied upon to always be the case? Does it change according to method? I'm using POST.
It was curiousity mainly. I can easily code to allow for both possibilities and I think it would be safer to do so. Even if one can be relied upon today you never know what a new user agent might do tomorrow!
Always check user input. Check for fields that you expect to be there, and write your code so that it ignores anything you don't expect to be there.
This one however is going to be a mega pain in the backside to test as I'm specifically coding secure forms where the fieldnames change every time you load the form and each set of names can only be submitted to once.
I don't think anybody has actually exploited my current forms yet but I've certainly seen a few exploratory manouvres.