Handling static pages is easy, but problems arise when the need came for programming. Each site should have at least a contact form. When a visitor want to contact site owner or administrator easiest way by filling contact form. It should be like that, but is it really?
Do you happened to get to the contact form, click the "Send" button without filling even one field and get an answer "Your message was successfully sent"?? Hmmm ... what message? Whose message?
"Developer" took for granted that user will enter all required data correctly at first try. If someone accidentally or unwittingly enter something incorrectly or omit something - it is his fault! And what if someone use that form to send a thousands of spam e-mail - well, that happens ..
Furthermore, don't be fooled - the validity of the entred data must be checked on server side! JavaScript validation is not adequate solution, because malicious users can avoid it!
Then, email address format must be checked, if entered, and if
necessary all other data formats (date, phone number, etc..). Appropriate warning should be displayed if an error accured. User must be informed what field he didn't entred correctly and what is expected to be entered there. With complex input (eg. a specific date format) it is
necessary to put an example of correct entries.
And did happen to you that you entered a dozen of data and made a single mistake or omit and as a result beside error message you get all fields empty? Come all over again! No need to tell how frustrating it can be? Conclusion: when reporting errors all the data entered by user must be filled up automatically, even if they are incorrect. It is necessary to allow user to correct his errors, without forsing him to re-entering all data again.
Not a rare case is checking entries validity from JavaScript, and as excuse is used a fact that it's much faster and more comfortable that way. Wrong! To accelerate the data verification proccess it's possible to use Ajax . JavaScript, no matter how attempting it looks is not suitable for this purpose. End of story.
What about the form abuse? The most frequent case is that "hacker" set up a script that will fill a form thousand times with somehow data and it will result in sending thousands of spam e-mail to user and/or, traffic congestion on the server and stuff like that. The problem can be solved by adding a security code (so-called "Captcha "). In addition to common data user must enter to fill form he will be asked to enter a code shown in the picture, which is made to be difficult to read. This text scripts and programs find impossible (or very difficult) read, so they will not be able to post and only human visitor can submit the form sucessfuly. Protection is not 100% effective, but it is pretty useful.
Writting to database however should be taken very seriously, because the forms are most often used for site hacking.
Not a rare case is that user have to fill the same form again and again. His name, address, phone number will always be the same, but he will again and again have to enter them. Isn't it easier to save all data that is not likely to change and fill them automaticaly when form appears first time? Of that would be great, but is possible? This can be done by storing data in the so-called "cookies" on users PC.
