Some programmers are so lame that they haven't figured out how to strip spaces and dashes from input. Really. Check Steve's No Dashes or Spaces Hall of Shame for some nice examples.

My question for you is this: Would you let a programmer who can't handle sanitizing input anywhere near your e-commerce system? I sure as hell wouldn't.

In other news, George Bush fell off a Segway. He's nothing if not funny. To bad he's in charge of the country.

Posted by jzawodn at June 13, 2003 09:29 PM

Reader Comments
# wil said:

I'd rather the programmer (and the linked URL) validated input on what *is* allowed, not trying to strip out what might not be allowed, allowing him or herself to slip up on trying to think of infinite scenarios.

on June 14, 2003 12:42 AM
# Kalyan Varma said:

Wah ?

Looks like there are programmers like this in all major e-com companies. from ebay/paypal to msn and even shitybank (s/shity/citi).

Infact Shitybank should say "Which random CC number do you want to use today?" :)

on June 14, 2003 07:55 AM
# Daniel Smith said:

I agree with wil, Steve's example should be amended to:

$ccnum =~ s/[^0-9]//g;

The problem isn't so much "no spaces or dashes". It's more
"numbers only".

on June 14, 2003 09:09 AM
# Steve Friedl said:

I think that simply deleting non-digits may not be a great idea: if the user entered (say) a letter, I'd rather reject it outright as an invalid card number than just make a go of it. "spaces and dashes" are filler characters, "Z" and ";" are not.

But why use 0-9 when \d would do :-)

on June 14, 2003 10:46 AM
# Darren said:

I doubt there are many commercial e-commerce sites being built now that leave usability decisions to programmers.

Blaming the programmer is too simplistic, blame the (so called) usability experts who make the stupid decisions.

on June 14, 2003 11:30 AM
# Jeremy Zawodny said:

I dunno. I have trouble believing that this was a "usability" decision...

on June 14, 2003 06:07 PM
# Charles said:

Let me add a similar pet peeve. I was searching an archive, I entered the string "Perl 5.8" and I got an immediate abort. The search engine reported "Stopwords: 5, 0 results, 8, 0 results" and stopped. The engine (a well-known GPL product) refuses to search for strings less than 2 chars. It is too stupid to figure out "5.8" is a real 3chr search string.

on June 15, 2003 09:11 AM
# Nav said:

Good usability/interaction design principles will allow users to input the number with or without spaces/dashes, and have the program do all the validation. So if this was a usability decision, it was a 'stupid' one...

on June 15, 2003 06:59 PM
# said:

I've developed sites that have this restriction, and no, I am not a lame programmer.

This was at an old web dev shop I used to work at - the environment was very inhospitable for anybody with a clue.

The owner knew just enough HTML to think he knew what he was doing, but was extremely resistant to change. Hiring policy was to take absolutely anybody on for three months, and then fire them if they were no good. The couple of dozen or so developers that I worked with over the 18 months I was there hadn't got a clue, so they couldn't back me up on anything, and the owner didn't take me seriously because, even though I was holding the company together at the seams, I wasn't very experienced.

Standard practice for developing a new website was to simply copy an old one, and change the page content a bit. The original version of the shopping cart software was extremely insecure, and had the idiot CC handling you describe. Any attempt to do work that wasn't absolutely necessary to impress a client was frowned upon, to the point where I was told "That isn't how we do things around here" in response to me using closing p tags and indenting my code.

These agencies are out there, and are sadly far too common, from the websites I see today. They prey on small businesses with no understanding of the web, and most will write any complaints off as "kooks" if anybody says anything to their clients. The sad thing is, in the 18 months I worked there, I noticed the quality of my work afterwards was way, way lower than it had been when I started there - I just didn't *care* any more.

Please, the programmer is not always the one to blame in these matters. Sometimes the resistance to change is just too high.

on June 16, 2003 12:55 PM
# Andrew said:

About half of web forms do not allow perfectly legal email addresses to be entered. Most commonly, they do not allow a "+" in the left side of the address (and sometimes other legal characters). Many also restrict the length to an arbitrarily small number of characters.

I find this to be a far more significant error than not allowing spaces and dashes in credit card numbers, since it excludes users from the site, rather than just inconveniencing some of them.

on June 17, 2003 03:16 PM
# Ned Batchelder said:

I couldn't agree more about the stupidity of credit card "validation":

Credit Card Validation

on June 19, 2003 04:56 PM
# t6olu said:

i want u to list all credit card numbers alphabeticaly to my box shown above

on August 14, 2003 04:25 AM
# Jan Flores said:

Send me credit card numbers

on June 16, 2005 10:14 AM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.


Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.