Is it sufficient to restrict user input value by setting maxlength only? Lets say I have this code:

    <input type="text" id="foo" maxlength="12">

Is there any possibility that user still can (in any valid or invalid way) insert value more than 12?

When we have set the maxlength, is it usefull or useless to validate it once again using javascript or maybe at the backend (servlet, etc)?

Is it sufficient to restrict user input value by setting maxlength only? Lets say I have this code:

    <input type="text" id="foo" maxlength="12">

Is there any possibility that user still can (in any valid or invalid way) insert value more than 12?

When we have set the maxlength, is it usefull or useless to validate it once again using javascript or maybe at the backend (servlet, etc)?

• javascript
• html
• validation

• 2 "maxlength" only checks the frontend part, but you need to check what arrives at the server. – Rob Commented Jan 7, 2014 at 7:15
• 3 Just remember this: Anything on the client side can easily be defeated /spoofed. Always perform thorough validation on the server side. Never trust anything from the user. – Jonathon Reinhart Commented Jan 7, 2014 at 7:20
• On client side by using browser development tools like 'firebug' anyone can easily remove 'maxlength' attribute. So there is need to add server side validations. – mujaffars Commented Jan 7, 2014 at 7:26

2 Answers 2

Is it sufficient to restrict user input value by setting maxlength only?

No

Is there any possibility that user still can (in any valid or invalid way) insert value more than 12?

Yes

When we have set the maxlength, is it usefull or useless to validate it once again using javascript or maybe at the backend (servlet, etc)?

You should validate, and preferrably on the backend.

That's because you don't necessarily need a browser to pass data to the server. There are other client software, like REST testers, curl, wget, tamper data and similar software that can fire requests directly to the server, all of which bypass your maxlength attribute and JS validations.

So if you want fast validation so that the user gets a snappy, interactive response, your maxlength and JS validations does that job. But you should do a second validation when the data is passed to the server, this time for security.

It is all upon you. Choose your datatype allowing only 12 values in database.

You job on client side is done after validation but database won't be saving values more than 12.