Some programmers are so lame that they haven't figured out how to strip spaces and dashes from input. Really. Check Steve's No Dashes or Spaces Hall of Shame for some nice examples.
My question for you is this: Would you let a programmer who can't handle sanitizing input anywhere near your e-commerce system? I sure as hell wouldn't.
In other news, George Bush fell off a Segway. He's nothing if not funny. To bad he's in charge of the country.
Posted by jzawodn at June 13, 2003 09:29 PM
I'd rather the programmer (and the linked URL) validated input on what *is* allowed, not trying to strip out what might not be allowed, allowing him or herself to slip up on trying to think of infinite scenarios.
Wah ?
Looks like there are programmers like this in all major e-com companies. from ebay/paypal to msn and even shitybank (s/shity/citi).
Infact Shitybank should say "Which random CC number do you want to use today?" :)
I agree with wil, Steve's example should be amended to:
$ccnum =~ s/[^0-9]//g;
The problem isn't so much "no spaces or dashes". It's more
"numbers only".
I think that simply deleting non-digits may not be a great idea: if the user entered (say) a letter, I'd rather reject it outright as an invalid card number than just make a go of it. "spaces and dashes" are filler characters, "Z" and ";" are not.
But why use 0-9 when \d would do :-)
I doubt there are many commercial e-commerce sites being built now that leave usability decisions to programmers.
Blaming the programmer is too simplistic, blame the (so called) usability experts who make the stupid decisions.
I dunno. I have trouble believing that this was a "usability" decision...
Let me add a similar pet peeve. I was searching an archive, I entered the string "Perl 5.8" and I got an immediate abort. The search engine reported "Stopwords: 5, 0 results, 8, 0 results" and stopped. The engine (a well-known GPL product) refuses to search for strings less than 2 chars. It is too stupid to figure out "5.8" is a real 3chr search string.
Good usability/interaction design principles will allow users to input the number with or without spaces/dashes, and have the program do all the validation. So if this was a usability decision, it was a 'stupid' one...
I've developed sites that have this restriction, and no, I am not a lame programmer.
This was at an old web dev shop I used to work at - the environment was very inhospitable for anybody with a clue.
The owner knew just enough HTML to think he knew what he was doing, but was extremely resistant to change. Hiring policy was to take absolutely anybody on for three months, and then fire them if they were no good. The couple of dozen or so developers that I worked with over the 18 months I was there hadn't got a clue, so they couldn't back me up on anything, and the owner didn't take me seriously because, even though I was holding the company together at the seams, I wasn't very experienced.
Standard practice for developing a new website was to simply copy an old one, and change the page content a bit. The original version of the shopping cart software was extremely insecure, and had the idiot CC handling you describe. Any attempt to do work that wasn't absolutely necessary to impress a client was frowned upon, to the point where I was told "That isn't how we do things around here" in response to me using closing p tags and indenting my code.
These agencies are out there, and are sadly far too common, from the websites I see today. They prey on small businesses with no understanding of the web, and most will write any complaints off as "kooks" if anybody says anything to their clients. The sad thing is, in the 18 months I worked there, I noticed the quality of my work afterwards was way, way lower than it had been when I started there - I just didn't *care* any more.
Please, the programmer is not always the one to blame in these matters. Sometimes the resistance to change is just too high.
About half of web forms do not allow perfectly legal email addresses to be entered. Most commonly, they do not allow a "+" in the left side of the address (and sometimes other legal characters). Many also restrict the length to an arbitrarily small number of characters.
I find this to be a far more significant error than not allowing spaces and dashes in credit card numbers, since it excludes users from the site, rather than just inconveniencing some of them.
I couldn't agree more about the stupidity of credit card "validation":
Credit Card Validation
i want u to list all credit card numbers alphabeticaly to my box shown above
