When Doug D. was asked to investigate a data truncation issue, he figured it'd be pretty easy. He clicked through the application to test it out, and discovered that validation was only handled client side. After turning JavaScript off, he could submit text boxes with more text than would fit in the database column.

There was just one problem; he didn't see the client-side validation code next to the other functions defined on the page. He scrolled down to the submit button to see what it did in its OnClick.

<input onclick="var flag = true;
flag = validateRecord(form.res_Addr_1,form.res_City_1,form.res_County_1, form.res_State, form.res_Zip);
       
if (flag == true)
{       // validate start Date and End Date
  var dateflag = true;
  var day = "";
  dateflag = validate(form.res_MM, day,form.res_YYYY);
  if (dateflag == true)
  {
    dateflag = validate(form.res_MM_end, day, form.res_YYYY_end);
    if (dateflag == true)
    {
       dateflag = ComparedDate(form.res_MM,"01",form.res_YYYY, form.res_MM_end,"01", form.res_YYYY_end);
       if (dateflag == true)
       {
       // check to see if it is a new record or existing record
        if (editResRecord == -1)
        { // new record
             
          // add the year values in the array, so we can use the value later on to see if resident information contains records up to 7 years
          stYear.push(parseInt(form.res_YYYY.value));  // start year
          // add record in the text area
          pushOn(RecordArray, MsgArray,form.DisplayRecord);
          ClearResidentField();
          form.totalResRecord.value = RecordArray.length;
          form.res_Addr_1.focus();
        }
        else
        { // existing record that are being edited
          stYear[editResRecord] = form.res_YYYY.value         
   
      //1) Loop through each array value and add all it all together as a record
        var FinalMessage = "";
        FieldInfo("ADDRESS:" , form.res_Addr_1.value, 0, "1");
        FieldInfo("CITY:" , form.res_City_1.value, 1, "1");
        FieldInfo("COUNTY:" , form.res_County_1.value,4, "1");
        var i = form.res_State.selectedIndex;
          FieldInfo("STATE:" , form.res_State.options[i].value ,2, "1");
        FieldInfo("ZIP:" , form.res_Zip.value,3, "1");
        FieldInfo("FROM:" , form.res_MM.value, 5, "1"); //start month
        FieldInfo("/" , form.res_YYYY.value, 6, "1");  //start year
        FieldInfo("TO:" , form.res_MM_end.value, 7, "1"); // end month
        FieldInfo("/" , form.res_YYYY_end.value, 8, "1");  // end year           
             
        for (var i= 0; i < MsgArray.length; i++) 
          {
            if (MsgArray[i] != null)
            {
              FinalMessage = FinalMessage + MsgArray[i];
              MsgArray[i] = "";
            } // end if
        }  // end for
               
          RecordArray[editResRecord] = FinalMessage;
          DispArray (RecordArray, DisplayRecord)           
          ClearResidentField();
          form.res_Addr_1.focus();
          editResRecord = -1 // change the edit record flag back to false
          form.totalResRecord.value = RecordArray.length;
        }
      
           
        } // end if
    }       // end if
  } // end if
}  // end if
" type="button" value="Add / Update Record" />

Doug moved the code to its own separate function and added server-side validation.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!