When Doug D. was asked to investigate a data truncation issue, he figured it'd be pretty easy. He clicked through the application to test it out, and discovered that validation was only handled client side. After turning JavaScript off, he could submit text boxes with more text than would fit in the database column.
There was just one problem; he didn't see the client-side validation code next to the other functions defined on the page. He scrolled down to the submit button to see what it did in its OnClick.
<input onclick="var flag = true; flag = validateRecord(form.res_Addr_1,form.res_City_1,form.res_County_1, form.res_State, form.res_Zip); if (flag == true) { // validate start Date and End Date var dateflag = true; var day = ""; dateflag = validate(form.res_MM, day,form.res_YYYY); if (dateflag == true) { dateflag = validate(form.res_MM_end, day, form.res_YYYY_end); if (dateflag == true) { dateflag = ComparedDate(form.res_MM,"01",form.res_YYYY, form.res_MM_end,"01", form.res_YYYY_end); if (dateflag == true) { // check to see if it is a new record or existing record if (editResRecord == -1) { // new record // add the year values in the array, so we can use the value later on to see if resident information contains records up to 7 years stYear.push(parseInt(form.res_YYYY.value)); // start year // add record in the text area pushOn(RecordArray, MsgArray,form.DisplayRecord); ClearResidentField(); form.totalResRecord.value = RecordArray.length; form.res_Addr_1.focus(); } else { // existing record that are being edited stYear[editResRecord] = form.res_YYYY.value //1) Loop through each array value and add all it all together as a record var FinalMessage = ""; FieldInfo("ADDRESS:" , form.res_Addr_1.value, 0, "1"); FieldInfo("CITY:" , form.res_City_1.value, 1, "1"); FieldInfo("COUNTY:" , form.res_County_1.value,4, "1"); var i = form.res_State.selectedIndex; FieldInfo("STATE:" , form.res_State.options[i].value ,2, "1"); FieldInfo("ZIP:" , form.res_Zip.value,3, "1"); FieldInfo("FROM:" , form.res_MM.value, 5, "1"); //start month FieldInfo("/" , form.res_YYYY.value, 6, "1"); //start year FieldInfo("TO:" , form.res_MM_end.value, 7, "1"); // end month FieldInfo("/" , form.res_YYYY_end.value, 8, "1"); // end year for (var i= 0; i < MsgArray.length; i++) { if (MsgArray[i] != null) { FinalMessage = FinalMessage + MsgArray[i]; MsgArray[i] = ""; } // end if } // end for RecordArray[editResRecord] = FinalMessage; DispArray (RecordArray, DisplayRecord) ClearResidentField(); form.res_Addr_1.focus(); editResRecord = -1 // change the edit record flag back to false form.totalResRecord.value = RecordArray.length; } } // end if } // end if } // end if } // end if " type="button" value="Add / Update Record" />
Doug moved the code to its own separate function and added server-side validation.