So this won't fix the problem of user input outside the browser, but what about implementing the date fields as <select>'s instead of text fields? You will still have to sanitize the data but at least you have defined the format in which the user inputs it through the browser.
p_W wrote:
So this won't fix the problem of user input outside the browser, but what about implementing the date fields as <select>'s instead of text fields? You will still have to sanitize the data but at least you have defined the format in which the user inputs it through the browser.
I recommend this setup for date entry since it does help a little with the input sanitizing: When you use a Select tag, the user input options are known values and it allows you to be much more aggressive and unforgiving with your input validation. Text box input requires some fuzzy acceptance of values, but a Select/Options list does not - you can validate against a fixed set of values and anything else must have come from a Bad Guy.
- Aaron
