I have a form containing:-

<p align="center"><font color="#FF0000" size="3" face="Arial"><b>Please
enter your name in this box:-</b></font></p>

<div align="center"><center><table border="6" width="30%">
<tr>
<td align="left"><input type="text" size="36" maxlength="36"
name="CustomerName" onblur="this.value=this.value.toUpperCase(); saveValue(this)"
</td> </tr>
</table>
</center></div>

A customer has managed to submit a form with his name still in lower case. Apparently all the other script validations in the form have worked correctly.

Any ideas how this can have occured, please? Is there some new browser out there which is quirky about JavaScript? Another customer managed to submit a form with not only his name in lower case but with other entries not properly validated as well.

don't rely on javascript to make the customer name all uppercase since this can be easily hacked by typing this in the address bar:

javascript:document.forms[0].CustomerName.onblur=null;

as a rule, you ALWAYS need to validate on the server-side for safety, even if you have client-side validation.

Thanks, Glenn. I did not know that, and I very much doubt if my customers do either!

Could you say - Is there any way that a user can somehow by-pass a prompt or confirm box? In any browser, old or new?

A user could turn off javascript altogether and bypass all alert or confirm boxes. If they are absolutely vital, there is usually a way to make sure the user can't proceed without having javascript enabled. The obvious drawback is that some people may not be able to use your site properly.

...or the user can make a custom page without validation and submit it to yours.
and javascript can be bypassed even if you don't turn it off. that's why server-side validation is very important.

I'll add to the chorus here. Client side validation is good and helpful for the the client if it assists them in filling out the form but server side validation is mandatory. Client side validation can be disabled or overriden by accident or deliberately.

Never trust data as entered by the users, always validate it or your database will eventually be filled with garbage. I'm working right now on a project where end users entered a lot of data into a standalone database that did almost no validation and as I try to attach it to other databases that can validate that data I'm finding I have to correct a huge amount of typo's and other problems that simply never should have been allowed in the first place.

Never write data to your database until you can be sure it's good.

Thanks again for the information. In fact there is no database involved - just an order form which the customer submits via formmail.pl.

Most of the "validation" simply formats the input to make it look prettier - e.g. USA and not usa, My Address Road and not my address road etc. Credit card start/end dates are validated, i.e start date to be not after and end date to be not before this month. Also credit card numbers are validated according to the Luhn system.

While I am sure that all sorts of trickery can be performed by geeks, my customers are not computer experts - typically they are middle-aged train buffs! But every so often one of them seems to be able to slip around the scripts and submit a form which is not properly "validated". I do realise that they can (unknowingly??) turn JavaScript off, but I doubt if most of them would know how to do this. Possibly old browsers are the culprit.