Support » Developing with WordPress » Should I set a maxlength for my inputs or not

  • Resolved Guido

    (@guido07111975)


    Hi,

    I have multiple plugins that have input fields in both frontend and backend. Such as a contact form, plugin settingspage and a widget.

    I want to control user input, so am using the maxlength attribute for every input field. For regular text inputs 500 characters, for example.

    Why? I don’t want users to submit massive text blocks that might break the form or pollute the database.

    On the other hand, I don’t see many plugins that do the same, and also WP dashboard doesn’t set a maxlength on inputs, as far as I know.

    So, what’s best practice.. or what are your thoughts about this? Just curious..

    Guido

Viewing 6 replies - 1 through 6 (of 6 total)
  • catacaustic

    (@catacaustic)

    “Best practice” will depend on what the data is meant to be. As an example, a persons name is highly unlikely to ever go over 100 characters, but a question or request can be 1,000’s of characters long.

    It also depends on how it’s stored. If the plugins are storing the values in the database as VARCHAR fields, then they’ll only ever store 256 characters anyway.

    To be honest, I think that only question that you have to ask is why you want to limit this? I don’t think that “polluting” the database holds water because it’s just a record. Storage is pretty cheap these days, so if your database gets to a point of needing to be upgraded thanks to th number of form submissions you have, you should be thinking that you’re lucky to have such a popular site!

    Not sure if it’s a “best practice” but my professional opinion is that using maxlength makes sense when the kind of data you’re accepting has an actual upper limit, e.g. a credit card number, a YYYY-MM-DD date, an ISO 3166-1 alpha-2 country code, etc. I’d caution against putting maxlength on fields like name, address, comment, etc. as edge cases are more common than you think. For example, my full name is 26 characters long which doesn’t fit in many forms!

    Please also bear in mind that it’s important to validate input on the server as users can bypass attributes like maxlength if they want to.

    Guido

    (@guido07111975)

    Hu guys,

    Many thanks for your replies and thank you for your insights.

    @noisysocks – The only “non-default” fields I use are datepicker fields, so will keep the max-lenght for them (10 characters). I sanitize/escape everything, so that’s been taken care of 😉

    @catacaustic – I use the native features such as the Widgets API and Settings API and I don’t know how they store data. Guess they don’t use VARCHAR fields.

    But I have decided to remove all maxlength attributes again, except from the datepickers. Thanks again.

    Guido

    Moderator bcworkz

    (@bcworkz)

    Hiya Guido — FYI Settings and Widget APIs store data in options, whose value field is type longtext. Settings are saved as individual values. Widget data is saved in serialized arrays. Longtext is limited to 4GB of data each! One really has to try to hit that limit.

    Inquiring minds want to know. Even if it doesn’t matter 🙂

    Guido

    (@guido07111975)

    Hi BC!

    Thanks for the info!
    Guess you also advice against the use of a maxlength except when it’s useful (such as my datepicker fields)?

    Guido

    Moderator bcworkz

    (@bcworkz)

    Yes, I concur. There’s no good reason to restrict length, except when there is a good reason 🙂

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Should I set a maxlength for my inputs or not’ is closed to new replies.