Prevent Paste

[GarryJones]

I found this handy little script on the net that means the user can
only press backspace or numbers in form input.

<script type="text/javascript">
function numbersonly(e){
var unicode=e.charCode? e.charCode : e.keyCode
if (unicode!=8){ //if the key isn't the backspace key (which we should
allow)
if (unicode<48||unicode>57) //if not a number
return false //disable key press
}
}
</script>

<form>
<input type="text" size=18 onkeypress="return numbersonly(event)">
</form>

It works, but it's not foolproof.

2 issues with this code.

1) Can I stop a user from accessing my website if he/she is not using
javascript?

2) Can I prevent a user from breaking the code and entering other
stuff by placing the cursor in the box and pressing ctrl+v (paste)

Any help greatly appreciated

Garry Jones
Sweden

 

[Gregor Kofler]

GarryJones meinte:

1) Can I stop a user from accessing my website if he/she is not using
javascript?
No.

2) Can I prevent a user from breaking the code and entering other
stuff by placing the cursor in the box and pressing ctrl+v (paste)

Even if: One could always deactivate js before entering and activate it
afterwards again.

Any help greatly appreciated

Don't rely on client-side validation.

Gregor

 

[David Golightly]

I found this handy little script on the net that means the user can
only press backspace or numbers in form input.

<script type="text/javascript">
function numbersonly(e){
var unicode=e.charCode? e.charCode : e.keyCode
if (unicode!=8){ //if the key isn't the backspace key (which we should
allow)
if (unicode<48||unicode>57) //if not a number
return false //disable key press}
}

</script>

<form>
<input type="text" size=18 onkeypress="return numbersonly(event)">
</form>

It works, but it's not foolproof.

2 issues with this code.

1) Can I stop a user from accessing my website if he/she is not using
javascript?

2) Can I prevent a user from breaking the code and entering other
stuff by placing the cursor in the box and pressing ctrl+v (paste)

Any help greatly appreciated

Garry Jones
Sweden

The rule of thumb is: attempting to use JavaScript for page security
is futile. Just install Firebug and play around with its JavaScript
console and the HTML editor and you'll quickly see how easy it is for
someone, even WITH javascript enabled, to tamper with your page. In
the browser, about the only thing JavaScript is good for is to enhance
usability and responsiveness. You can never write a script that is
100% effective in prevent users from a) viewing your page's source
code, b) finding the URL for an image on your page, c) preventing a
user from entering values in a textbox that you don't want, or
submitting them in a form, etc. etc. etc. To sum up, it's not even
worth trying to use JavaScript to protect against a malicious user.
For that, you always need a server-side solution that sanitizes
submitted data, etc. Front-end code is always trivially breakable.
So to answer your two questions, you can't 1) ensure that having
JavaScript enabled will give you, the developer, MORE security in the
page, and 2) prevent a user from breaking your client-side code. Not
possible, never been done.

-David

 

[Evertjan.]

GarryJones wrote on 29 sep 2007 in comp.lang.javascript:

I found this handy little script on the net that means the user can
only press backspace or numbers in form input.

<script type="text/javascript">
function numbersonly(e){

var unicode=e.charCode? e.charCode : e.keyCode

var unicode = e.charCode||e.keyCode

seems simpler.

if (unicode!=8){ //if the key isn't the backspace key (which we should
allow)
if (unicode<48||unicode>57) //if not a number
//disable key press

return unicode==8 || (unicode>47 && unicode<58);

However this is impolite because it will confuse blind typing,
and make users go away from your website never to return.

}
}

what is the second } doing here?

</script>

<form>
<input type="text" size=18 onkeypress="return numbersonly(event)">
</form>

It works, but it's not foolproof.

2 issues with this code.

1) Can I stop a user from accessing my website if he/she is not using
javascript?

It seems the user IS on your website if the user is on your page.

Clientside code can prevent nothing.

2) Can I prevent a user from breaking the code and entering other
stuff by placing the cursor in the box and pressing ctrl+v (paste)

Eh? Why are you interfering with the user.

A simple solution if you do not want to have the user on your website,
is not to put your website on the web.

But then perhaps it should not be called a website at all,
wouldn't you think?