Comments on: Validation Blind Spots Hurt Real Users

By: Em

Em — Mon, 11 Apr 2011 20:21:21 +0000

What do you think about validating and sanitizing email with build in php filter functions:
filter_var($email, FILTER_VALIDATE_EMAIL), filter_var($email, FILTER_SANITIZE_EMAIL).

By: Tim Swann

Tim Swann — Mon, 11 Apr 2011 07:41:27 +0000

Nice article…

I’m probably guilty of a few of those offences myself in the past.
I know I’ve been guilty of strict validation on credit card numbers. Why I didn’t allow spaces was daft when I think about it, it’s so easy to strip the spaces out.

It’s a perfect example of programmers living in a programmatic rather than real world. It’s good to have it pointed out to us every now and then that we need to stop over-thinking, and put the user first.

@Jani – totally agree, my password is mine, and so it should contain whatever I want – and not be limited to or even enforced by the system.

By: Jani Hartikainen

Jani Hartikainen — Tue, 05 Apr 2011 20:10:11 +0000

Excellent points there. These are some things that have baffled me as well.

Something you didn’t mention is passwords.

Why oh why can’t I have special characters in my password, and why does it have to be between 6 an 12 characters and not any longer?

If I want to have a password of 100 characters, you should let me. It shouldn’t matter to you what’s in it, because you should be hashing it anyway, so it all passwords would match your prerequired length (be it 40 with sha1 or whatever)

By: Chris Shiflett

Chris Shiflett — Mon, 04 Apr 2011 16:00:11 +0000

Slightly tangential to your post, but here are a few facts about US addresses that you might find interesting:

1. US addresses consist of two lines, an address line and a last line. Every form that collects city, state, and ZIP (collectively, the last line) separately only needs one address line.

2. Any secondary unit designator (apartment, suite, etc.) is part of the address line. If a form collects it separately, you can opt to just write it at the end of the address line instead. I always do that, because it’s faster.

3. The longest valid address line is 49 characters. Limiting this to 20 is especially dumb, but even limiting it to 50 can be problematic, because standardized addresses use standardized abbreviations, and users might spell those out.

The more you know. :-)

By: Predrag Supurović

Predrag Supurović — Mon, 04 Apr 2011 07:38:57 +0000

There is one point that you mentioned lightly, but actually, lots of developers do fail: support for international characters.

Nowadays, it is pretty easy to support almost every alphabet in the world. All you have to do is use UTF8 encoding. It should be used both on web page and database and that would help anyone type in his name, address or whatever else using his own language and alphabet if necessary.

By: Wiseguy

Wiseguy — Mon, 04 Apr 2011 02:54:28 +0000

I had the same problem with American Express. I called, hoping that the limit was just in the web form and that they could enter longer addresses, but they just cut my street name in the middle and spread it onto the second line. When I joined several years ago, I noticed the 8-char password thing, too. I wrote them to complain. I was recently able to change my password to a longer one, so I guess that’s since been changed for the better.

Worse, I had a bank that required a password to be exactly 8 chars contain no symbols/punctuation/spaces (so, alphanumeric only), and not start with a number. Seriously? Sheesh.