Regarding your questions about validation, I’d recommend/expect at least the same basic level of server-side validation that is (or should be) typical on non-WP PHP forms. My projects are increasingly subject to 3rd-party security assessment and penetration scans prior to deployment, which is why I may be a bit hypersensitive on this issue– seeing my javascript make it from the form into a SF campaign (although granted, it appears to be entity-escaped thus not excutable) was a bit of a shocker when coming from a Contact Us form, where there should be no reason to retain <script>
tags (even this coder-oriented forum requires special handling to retain escaped code snippets in posts).
Anyway, basics would include:
– min/max character length allowed in textfield entries
– numeric-only, min/max value, auto-strip commas/dollar signs
– currency/decimal-place enforcement
– a North American phone number format (XXX) XXX-XXXX would at least cover the largest % of uses
The ability to use custom regular expressions for validation would go a long way for serious coders (although not very comprehensible for typical WP users).
Regarding methods of implementing server-side form field validation in WP — without having peeked ‘under the skirt to see how the current plugin actually works, I’d probably do the initial POST back to my script where all necessary validation can be performed, and re-display the form with error messages and sanitized field contents on-error. If the POST passes validation I’d RESTfully POST the validated content to SalesForce using cURL, HTTP_Request2/GetURL2 (the guts of which I’ve found can be fairly easily integrated into projects used without having to be installed as PEAR extensions in the hosting environment).
Or, server-side validation can be performed quite elegantly without a POST/page refresh via AJAX (jQuery’s AJAX methods make that a lot less of a challenge than it used to be).
Client-side validation is less-risky if WP’s nonce feature is implemented to prevent forged POSTs that would otherwise bypass any client-side validation, but I’d still consider client-side validation as pre-validation to reduce network traffic/server-load — not as a replacement for server-side validation.
Anyway, Nick, thanks for providing me with this soapbox (‘probably sounds like I’m on step 14 of a 12-step program ;o)