If i set the maxlenght on a input box on my form to: <input type="text" name="firstname" size="35" maxlength="15"> HTML: Is there a way a hacker or user can get around it. The reason i ask is becasue i have: if (!preg_match('/^[a-z0-9]{5,15}$/i', $username)) PHP: in my validation, can i leave out the 15 in this because i have my maxlength set on my form
No, you should leave the max length regex because forms are the easiest thing to spoof. Anyone could copy your source, remove the max length tag, and post to your page so it's always best to have server-side checks too.
Yes, you have to verify ALL input on the server side. Never on the client's side. Don't ever trust the user.
You can just use: <?php $var = strlen($_POST['var']); // counts the characters if ($var > 15) { echo "Too Long"; } ?> PHP: