Forms that do not allow any non-numeric characters in phone numbers. When re-checking my inputs before submitting a form, 1234567890 is a LOT more difficult to verify that it's correct than 123-456-7890. (And stripping out non-numeric characters on the back end is so easy.)

Forms that do not allow punctuation in company names. My legal company name may be "ABC, Inc." so don't make me write "ABC Inc" instead. (And what about the case where "A-B-C Corp." may be a completely different legal entity from "ABC Corp." or "A B C Corp."- how could the first person distinguish his company from the others?)

Forms that only allow numeric entries for ZIP Codes. Many countries use alphanumeric codes (Canada, U.K.) or dashes (South Korea).

And one of my biggest complaints- forms that only allow the 50 U.S. states (plus DC) for state abbreviations, completely disallowing Guam / Puerto Rico (and other U.S. territories) and APO/FPO (overseas U.S. military) addresses.

yeah ..international sites which have mandatory US zip code fields ..you wont beleive how often that happens :(

btw our French codes are number only ..but some US sites wont validate with them .( cos they dont look like US zip codes ).even when you chooose "country"="France"

[edited by: Leosghost at 5:43 pm (utc) on Aug. 4, 2009]

ones that dont specify wether one should leave spaces / or not in credit card number sequences ..and then throw you out of their cart because you guessed wrong ..arrrghh ~~:o

My "favorite" is the site that forces you to select a US state. The joke is that the site is for a Canadian company.

Also, as above, sites that will only accept alpha characters in names and sites that won't accept international format phone numbers.

Usernames - all the good ones are taken so you're left guessing and guessing, looking for one that's ok - drives me crazy. And, then, of course, it's probably a site you'll never go back to because you just wanted to download something and you've got it now - finally!

Kaled.

Thanks for the responses everyone!

Here is another funny validation:
I had been to an Airline reservation page. In the address group of fields, if country is selected, the Passport Number is mandatory even if it is a local flight. It took some time for me to figure it out :)

Yes, I have read that some countries require id to be produced before a flight can be booked and airlines are insisting on passports. I haven't had occasion to fly for several years so I can't confirm it from experience.

There may be legitimate reasons for disallowing anything but U.S. states, but I agree - most of the time, this is due to a tunnel vision in development.

It's not just email injection, if you've ever been put through the SecurityMetrics wringer there are far more dangers in user input. For characters that may or may not be problematic but used in normal English, you have to consider they are only a danger in combination with OTHER meta characters. It's not as simple as it all seems.

At least by "silently" removing suspect characters, the orders/queries will still go through, only throw errors that are truly errors.

Not trying to validate sloppy coding, just saying, there are often more important reasons and if a developer doesn't know how to "fix" it they are indeed safer protecting the site than leaving it open to attack. In the end, the site's visitors suffer.

Useful thread on this by DrDoc [webmasterworld.com]