[thelist] Form Security

Luther, Ron Ron.Luther at hp.com
Mon Jul 19 08:16:04 CDT 2010

Frank Marion posted an excellent treatise on form security ...

Hi Frank!

I really enjoyed your post and it's thoroughness.  There were a lot of good points in there and I found it fun and helpful.  But based on a lot of recent experience wrestling with forms that I did not particularly enjoy ... I might have a quibble or two.  ;-)  I certainly agree that, by all means, we should protect the integrity of the database and backend system.  But I think people go too far when they try to do much more than that.

(1) I think a lot of forms development folks get overly aggressive and hung up on input completeness and validation.  While that may be mandated by management, it [IMVHO] can come across as bloody annoying on the user end of the stick.  There actually IS a difference between a "required" field ... and a field people simply "want" populated.  Please don't confuse the two.

There are, for example, very very few situations where you actually need my middle name, so please don't trigger an error when I leave it blank because you are only going to tick me off and force me to fill your 'required' field with my expletive du jure.

(2) Try to avoid excessive nosiness.  Okay.  I will grant you that there may be some 'edge' cases for tobacco, alcohol or senior sites where you may need to know whether my age is over 18 or 21 or 55.  But by and large you do not ever need to know my exact age. So please don't trigger an error if I react to your mandatory birthday field by entering a year of 1547.  (Hey!  Everyone likes to look younger.  Right?)

There are, of course, worse things some folks do, like requiring fields like SSN or "mother's maiden name" when they don't have a legitimate need for them.  Fortunately, larger companies generally have an 'executive complaint center' where you can point things like that out to them ... and their legal staff.  Questioning the developer's competence and parentage is, of course, optional.  [1]

(3) i18n.  Some of our Canadien and UK members have, in the past anyway, railed on about "validation" on telephone number and zip code fields that actually prevent them from entering correct information.  Ever wonder why folks in Toronto claim a '90210' zip code?  This is why.

People travel.  Get over it.  If my cell phone is out of London and I want you to ship to my NYC office ... do you want to make the sale - or do you want to argue with me that I'm making a mistake and not filling out your form correctly because the area code and zip code fields don't match the same geography?

Peace out,

[1] Mostly I think it's simple laziness.  External HR forms gathering input for SAP or PeopleSoft backends seem to be the worst offenders.

More information about the thelist mailing list