Verifying User Input

A form on a web page collects information form your visitors who fill out that form. If you validate the individual fields (as you should) then you can determine whether or not the information that is provided for the individual fields appears to be valid for the particular field type. Validation for example will determine if what your visitor enters into an email field looks like a valid email address. With the appropriate validation you can determine if the email address entered complies with the standards as to what is allowed to be in an email address.

This means that after validating all of the fields in your form you have a collection of data that reasonably could belong to someone. By validating you get rid of those values that are not possible because they are not reasonable values for anyone to have. For example, people's names only contain letters of the alphabet, spaces, and a very small number of punctuation characters such as apostrophes and hyphens. Having a number or a linefeed character in a name field is not valid and if someone were to enter one of those characters then obviously what they have entered isn't their name. Similarly an email address can only have a domain name or ip address after the @ and since neither of these can contain spaces, a space anywhere after the @ means that what they have entered isn't an email address.

Validating the fields tells you that what they have entered could belong to someone. Two things the validation doesn't tell you are whether the values entered actually exist and whether or not they belong to the person filling out the form. Assuming that the person filling out the form is trying to provide the correct information there is still the possibility of their making a typographical error in what they typed in such that while the information entered is still valid, it isn't the correct information. For example someone attempting to type in their email address as might have accidentally typed through having slightly missed the 'e' key and hitting the adjacent 'r' key instead. As a result you have a valid email address but one which is not correct.

We can't resolve these potential typo issues using validation. What we need to do instead is to get the person filling out the form to verify that what they have typed in is correct. Now you might think that people will check what they typed in before submitting it but this isn't always the case. It is also possible that small typos in the form content could be overlooked by those that do actually review what they typed before submitting.

Some users partly resolve this for themselves by having their browser (or a browser add-on) remember all of their most commonly entered data for them so that they can have common form fields filled out automatically with data they know is correct. Not everyone does this though so you can't rely on user data being typo free.

The way to get your visitors to check what they entered is to ask them to. The way to do this is to redisplay the data they entered in a different layout from how they entered it after they submit the form. On this page you provide two options so that they can either confirm that what they have entered is correct or to return to the form to make corrections that they have spotted now that their data is being displayed differently. Your visitors are far more likely to spot a typo in what they typed in when you rearrange the way their information is displayed. They are also far more likely to actually check what they typed in if you actually ask them to check it and redisplay it without the form so they can more easily see what they typed in.

The more information you are asking them to enter the more useful this step becomes. If you want them to enter information in forms on several pages it is not necessary to have them perform this check after entering each page, a single request at the end showing everything they entered is sufficient.

Of course in doing this you are still relying on your visitor to check what they entered. If they ignore your request to check and simply submit the information anyway then you may still end up with data that is valid but still incorrect but for most fields there is little you can do about that until such time as you actually try to use the information and find that it doesn't work - for example by trying to send an email and having it bounce back because the email address doesn't exist. At least you know that you tried to ensure that they entered things correctly.

Of course it is also possible that someone might deliberately enter incorrect but invalid data. There isn't much you can do about that either until you try to use the information.

Where you need to know for certain that specific fields that they entered are correct then the only way to make sure of that is to use the information. The easiest field to check is an email address since all you need to do to verify for certain whether it really belongs to the person who entered it is to send them an email to ask them. Simply include a link in the email for them to click on to confirm that they received the email and were the person who filled out the form in the first place. In the page the link goes to you can simply update the information you have recorded about them to indicate that the email address has been verified as belonging to the person who filled out the form.

One thing that some sites do that does not help to verify user input and which just serves to annoy visitors is to request for them to enter the same information twice. Very few will actually type the information in twice. Either both fields will be filled in automatically from the standard information they have told their browser to use or they will simply copy the value from the first field to the second field (including any typos it may contain). Alternatively, if they understand how pointless such field duplication is then they will simply decide that you are stupid and move on to a different site.

The one place where duplicating fields makes sense is with entering a new password. Here you can't see what you typed in the first field to verify it and you can't copy and paste so entering the value twice is the only way to ensure that you didn't make a typo. New passwords are also something that shouldn't be displayed in plain text on a verification page.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow