Most input text boxes take in only standard parameters, like type, name, id, size. most people forget that the size attribute is different from the maxlength property. When size is specified, the length of the text is not limited, but only the size of the box. In order to specify the length of data, you may need to specify the maxlength property. Lets deal it in real time with a example. Try entering your name or email address in the text boxes.

The text box below is built using the code <input size=”25″ type=”text” />

The text box below is built using the code <input size=”25″ maxlength=”5″ type=”text” />

You could have noticed that you cannot enter more than five characters in the second box. You should use maxlength attribute, where you know the length of data before hand, for instance, telephone number. But there are more than these fields, when you are supposed to use this feature, Read on for more.

Assume a normal user and password form, where the form data is submitted to another page in the server using the form action attribute. The full code is shown here.

<HTML>
<BODY>
Please enter your user name and password,
and click on submit.
<FORM METHOD=POST ACTION=”Authenticate.php”>
<TABLE>
<TR>
<TD>UserName </TD>
<TD><INPUT TYPE=”text” NAME=”username”></TD>
</TR>
<TR>
<TD>Password </TD>
<TD><INPUT TYPE=”password” NAME=”password”></TD>
</TR>
<TR>
<TD></TD>
<TD><INPUT TYPE=”submit”></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>

Just a few routine things about this page1. The method is post, because it involves a password.

2. I have used a table, so that i do not have to take care of alignment. using tables in normal HTML pages is no longer welcome. You must use a <div> and use CSS to control the alignment.

In the above form, the user is not limited to any sort of data length in the username field and lets see how this can be exploited.

Please enter your user name and password,
and click on submit.

The following server page may use a normal PHP get method to get the user name and display the same along with a welcome. Like the code as shown below.

<h1> Hi <?php echo $_REQUEST [’username’] ?>,</h1>

Now whatever the user enters in the username field is output as such in the server page. Gear on..

Whats if the user enters the following value? Please enter your user name and password,
and click on submit.

This could effectively mean passing code to be executed on your server, that primarily depends on how your authentication process works. It is more notable that server side component code like <?php // some code ?> can also be embedded inside a script tag. The next posts details on how to restrict the user from playing with your server code.