Is restriction using input maxlength sufficient enough?

Question

Is it sufficient to restrict user input value by setting maxlength only? Lets say I have this code:

    <input type="text" id="foo" maxlength="12">

Is there any possibility that user still can (in any valid or invalid way) insert value more than 12?

When we have set the maxlength, is it usefull or useless to validate it once again using javascript or maybe at the backend (servlet, etc)?

Answer 1

Is it sufficient to restrict user input value by setting maxlength only?

No

Is there any possibility that user still can (in any valid or invalid way) insert value more than 12?

Yes

When we have set the maxlength, is it usefull or useless to validate it once again using javascript or maybe at the backend (servlet, etc)?

You should validate, and preferrably on the backend.

---

That's because you don't necessarily need a browser to pass data to the server. There are other client software, like REST testers, curl, wget, tamper data and similar software that can fire requests directly to the server, all of which bypass your maxlength attribute and JS validations.

So if you want fast validation so that the user gets a snappy, interactive response, your maxlength and JS validations does that job. But you should do a second validation when the data is passed to the server, this time for security.

Answer 2

It is all upon you. Choose your datatype allowing only 12 values in database.

You job on client side is done after validation but database won't be saving values more than 12.