Home/ Questions/Q 3390982
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T03:45:12+00:00

By cleaned I mean formatting inputs such as a1b2c3 into A1B 2C3 or 5551234567

  • 0

By “cleaned” I mean formatting inputs such as “a1b2c3” into “A1B 2C3” or “5551234567” into “(555) 123-4567”. I figure we have few options:

  1. As the user is typing. For instance, when a user is typing a postal code, all letters are instantly capitalized, or after the user types 3 digits of a phone number, it puts brackets around them.
  2. When the field loses focus.
  3. Never. Formatting happens on the server-side only, just before it is inserted into the DB. The user never gets to see how it was formatted unless it is displayed on the site somewhere.
    (3b) If there were form errors, or on the confirmation page. If there are form errors and the form needs to be re-displayed, the formatting on the valid inputs will appear, or if you have a confirmation page (are these inputs correct?) they will show there.
  4. Never ever. Data should be dumped into the database as-is and only formatted in the template/view just before it is displayed back to the user.

What do you think? I think I like (2). Reminds me of how code-formatting works in Visual Studio (happens when you close a brace or type a semi-colon).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I like to either filter the field just after it loses focus (when it is critical that the field be formatted correctly before they move on to the next field – which is rarely), or I filter the field content as soon as the user hits the “SUBMIT” button (or whatever you want to call it) to send the data to the server.

    This has a few advantages for me:

    1. The user’s input is not interrupted with annoying “auto-corrections” – being auto-corrected can sometimes feel like demonic possession if it is not done well.

    2. The user really neither cares, nor needs to know that you do not want the (,), or -, in your phone number field… so take it out quietly for them. No notes, or instructions needed.

    3. Also, I ALWAYS filter the field values anyway to protect against any kind of code-injection attacks (which are alarmingly easy to pull off if you know what you are doing). I have read about entire databases being compromised because the author did not remove potential SQL markup from submitted data…. it makes me shudder.

    4. It also allows me to check for ALL input errors (if any), or non-filled-out required fields and report a single set of issues to the user at a single time… I have been to sites that give you so many messages while filling out a form it feels a bit like having a nagging relative over your shoulder.

    • 0