Hi,

I know this is a dumb question and perhaps a bit OT, most likely, but ... I want to ask anyway.

The goal:
Contain a textarea to a finite limit of number of words or characters?
I've found several ways but nothing seems to be good enough to stop someone that actually wishes to flood a textarea. I wish to limit it to around 20 lines, or about a thousand characters, say.
Note that I am specifically not asking about text boxes et al.

Here's the first question:
1. Is there anyway to use server side code the client cannot negate?
A logical, non-surprise to the visitor so they find out BEFORE trying to submit the form? Preferably in real time.

I've tried a lot of things without success. Js can simply be ignored by the client and on and on ... .

In learning HTML 5 to go with PHP scripts, I've come across the HTML 5 maximum length attribute. Having tested the HTML 5 attribute, it works, assuming a browser supports HTML 5, which I'm sure most miscreants wouldn't use even if they used a "regular" browser.

I only have HTML, PHP and CSS under my belt at this time; so that of course is where my preferences lie, but I'm not adverse to something different as long as it can be called from PHP.
Hopefully I have enough checks in place to know a message might be coming from a miscreant without the textarea limit, but ... there are those who will find it very inviting, I'm sure.
Javascript works great, but ... it's not secure.

So here's question 2:
What do YOU see as the most straightforward way to enforce a length for a textarea?

TIA,

Rivet`

    Rivet;11033199 wrote:

    Is there anyway[sic] to use server side code the client cannot negate?

    Absolutely: count the number of characters the user submits.

    <?php
if( mb_strlen( $_POST['textarea'] ) > 1000 ){
    print "too big!";
}
    Rivet;11033199 wrote:

    A logical, non-surprise to the visitor so they find out BEFORE trying to submit the form? Preferably in real time.

    Sure; just remember that anything on the client side is pure convenience - good for legit users, but not "security" in any way.

    var textarea = document.getElementById( 'MyTextarea' );
textarea.onkeyup = function(){
    if( textarea.value.length > 1000 ){
        textarea.value = textarea.value.substring( 0,1000 );
        alert( 'too big!' );
    }
}

    It would be fairly simple to modify this to create a "countdown" of remaining characters.

      traq;11033201 wrote:

      Absolutely: count the number of characters the user submits.

      <?php
if( mb_strlen( $_POST['textarea'] ) > 1000 ){
    print "too big!";
}

      Hmm, that's certainly an efficient way to count; somehow I've never come across mb_ before. THANKS!

      traq;11033201 wrote:

      Sure; just remember that anything on the client side is pure convenience - good for legit users, but not "security" in any way.

      var textarea = document.getElementById( 'MyTextarea' );
textarea.onkeyup = function(){
    if( textarea.value.length > 1000 ){
        textarea.value = textarea.value.substring( 0,1000 );
        alert( 'too big!' );
    }
}

      It would be fairly simple to modify this to create a "countdown" of remaining characters.

      I have a canned (but modified) countdown timer working but for some reason it's doing major screwing with the rest of the form: As in, it leaves most of the page blank when I try to implement it and it appears it bypasses most of the page's validation of other fields. It's likely my implementation but that's OT here so I'll take it elsewhere. You've given me what I need most.

      And yes, I'm fully aware it's only a convenience for legit users, but it also should prevent message bombs by quantity. I do perform validation on the contents of the message, plus it's only possible to send one message at a time to prevent successive submits. Hopefully I've made things difficult enough that most miscreants will decide it's too time intensive and will go elsewhere. Not perfect, but ... it's something.

      Thanks much,

      Rivet`

        [man]mb_strlen[/man] is a multi-byte-aware version of the original strlen function (which actually counts bytes, and not necessarily characters).

          Write a Reply...