I recently received a feedback from a colleague about my source code of a website. He says that it is a bad practice to not handle gracefully what visual interface does not allow to do.

Since it’s not very clear, here’s an example.

Let’s say a visitor can comment something.

• A comment is saved into a database, in a nvarchar(500) column.
• The <input /> field length is limited to 500.

But, of course, nothing forbids to a more advanced user to disable the length limit and to type 501 character.

(Other examples: submitting an option which does not even exist in a <select />. But there is a graceful error when the user is asked to enter a number, and she enters a non-number instead, since keypress events are controlled through JavaScript, and JavaScript may be disabled)

If the visitor does so, there would be a failure on code contracts level. The AJAX request would fail with an unexpected error (or, on page submit, there will be an unexpected error). In all cases, the visitor will see that something wrong happened, but will have no graceful message indicating that the length of the submitted comment is too long.

Why is it bad practice? Why would I bother to design clear and explicit error messages for the cases where the visitor who uses correctly the website will never have?

Note: I understand that it sucks to display a .NET Framework detailed error and a stack trace when something like this happens. If I do so, it’s a serious security issue. But in my case, there is just an AJAX response with something very generic or a redirect to a generic page with the apologizes about an error.