{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放荡不羁爱自由 的问题《Are there browsers that don't support maxlengt》','https://www.manongdao.com/q-165707.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a contest entry page on my company's website. In order to enter the contest, you create a login, which is just an email and a 4-digit pin. Here's the PIN field:
<input type="password" name="contest_pin" id="contest_pin" maxlength="4" />
When users submit the form, the account is created in our database, and then they get an email (which I'm copied on) that contains the email address and PIN they created.
Here's the issue: in every browser I've tested (Safari/Chrome/Firefox on Mac, Chrome/Firefox on Linux, IE7/8/9 on Windows) I CANNOT enter more than 4 digits into that PIN field. And yet, several of the emails I've received show that the user has created a pin with more than 4 characters.
How is this possible? Are there browsers that don't support maxlength? I haven't tested in Opera, or on any of the mobile browsers. It's not a huge deal if their pin is longer than 4 digits; the database will accept more. I'm just wondering how they managed to get around maxlength.
EDITED TO ADD
There are too many answers basically saying the same thing for me to respond individually to all of them. I KNOW that I should always do server-side validation for anything important, and we do have PHP code in place sanitizing our data, and if it was hugely important I would also have PHP code enforcing the 4-digit limit. It's not that important to us that they be only 4 characters, so I haven't enforced it. I'm just wondering why the maxlength property is not doing what it's designed to do, which is prevent users from entering more than a certain number of characters. For those of you that suggested malicious scripts or Firebug, I can be 100% certain this is not the case. Only registered users of our site (which is limited to a very specific corporate membership list) can even get to the contest entry page, and I can guarantee that none of the approximately 100 people on that list are going to be deliberately trying to circumvent an input type property.
In general, trying to enforce rules for user input done client-side is a bad idea. I had an experience where we had contracted out some work to some programmers and their idea of sanitizing user input was making it so that users couldn't input more than 10 characters in any given field. A quick firebug change and, oh look, I can drop the server's database with some minimal SQL injection.
If I were you I'd check maximum lengths with whatever script adds user information to your database and return form validation errors if the user input exceeds the maximum specified length.
They very likely are bots that read field names and create GET and POST requests based on those rather than using the HTML form like a normal human user would.
This is why client-side validation of form is never enough to ensure data is correct. Client-side validation is nice as it's responsive for end users, but it's not able to prevent bad data from arriving at your server's doorstep.
As an example, let's say I have an input field in a form whose action is GET. My input field's maxlength is 4. When I press submit, I see the URL ending with
?field=1234. There's nothing stopping me from updating that URL to?field=123456789and pressing enter. Similar things can be done with POST actions, but a tool is needed to do it.This is the type of thing that you should still validate server side, even though the clients will almost always support it. It is very easy to get around a maxlength -- Firefox Developer toolbar includes an option to "Remove Maximum Lengths", or a request can very easily be hand-edited. I almost think that in the past you could get around a maxlength in one of the browsers simply by using cut and paste(eg, the browser wouldn't let you type more characters, but if you pasted a value that was 5+ characters it would enter them all), though I can't remember specifically which browser I saw that on...
I believe that every browser supports it, here's a few links for reference :
Maxlength | SitePointReference
Maxlength | W3 Schools
Obviously there are way around this - you should ensure you ALWAYS have adequate server-side validation, as client-side usually isn't enough on it's own.
All browsers support maxlength. However, this attribute can easily be removed/changed using DOM methods or, for example, with Firefox's Web Developer Toolbar.
I would investigate the USER_AGENT and REFERER headers related to those user activities. Perhaps a malicious user submitted forms programmatically circumventing the browser restrictions, just to check your perimeter defense. If so you should see some patterns there.
Anyway these educated guesses aside,
maxlengthshould not be treated as a means of securing the input. Anything client-side is not under your control, it exists merely to make user interface more intuitive, interactive. You should always check everything on the server. In that case, the PIN being composed of 4 digits, otherwise reject the input. The golden rule is to treat all user input as hostile and thoroughly validate it on the server.