I was casually looking through the database (as you do) for my side project The Chubby Challenge yesterday when I noticed something odd. The latest challenge to be created had a blank end date, something that you are not supposed to be able to do.
I immediately went to my test site to see if I could reproduce the issue and what I found was that even though you are supposed to select a date using a date picker you can still type something, anything, into the associated edit control. I guess that this is precisely what the user had done, ignoring the drop down date picker. If what was entered wasn’t a valid date then the challenge end date would be set to null.
My initial reaction was to disable the text field but the associated date picker only appears when the associated text field gets focus, so that was out.
Next I looked at validating what was entered in the text field to ensure that it was a valid date. This took me a while to get my head around but eventually got it working but I found that entering something that wasn’t a properly formatted date in the field cause the date picker not to work correctly.
So I decided to prevent the user typing in the field and even this took me two goes. I first tried using an onKeyPress event but quickly found that this still allowed you to paste text into the field and press the delete key, not what I was wanting. A switch to onKeyDown resolved this and gave me exactly what I was looking for.
The final piece in the jigsaw is to implement a valid date check on the server side too to ensure that someone doesn’t try and circumvent the javascript.
Conclusion? No matter how much testing you do a user will always find something that you haven’t thought of. Software is never finished.