I was browsing the CBC.ca website the other day and found an article about Canadian universities which compelled me to leave a comment, so I clicked on the handy “sign up to comment” button.  Things went downhill from there.

Apparently every time I tried to submit my information it was considered “unsafe” and it would return me to the sign up screen to fill in all my information without telling me exactly what it was I was doing wrong.  I went through the signup page 3 times before I realized what was happening.  CBC.ca was filtering the form input, common practice for protecting a database from an SQL injection attack, but instead of removing or encoding the offending characters they were just rejecting the input with no feedback.

For the those unfamiliar with databases, the & (ampersand) symbol, as well as a choice few others, mean certain things when used in a database function.

This makes sense to protect against someone trying to compromise the database, but what about someone who was just trying to say that the very excellent Quirks & Quarks hosted by Bob McDonald is their favorite CBC radio show? How many people would actually realize what was going on?

I’ll add this to my list of things not to do when designing a website…