If a customer were "silly" (being polite here) enough to try and add, as an example, 4.6 items to their basket, what would you expect to see? or how would you deal with it. Obviously, we only deal with digital quantities (our hacksaw broke last week).
There seems to be a lot of inconsistence across the web.
Amazon Rounds down (4.6->4, 1.3->1)
FireBox Rounds (4.6->5, 1.3->1)
Ebuyer ignores the input (no error)
Expansys removes the item from your basket
I'm assuming some site will show an error
Which is the best solution
Add JavaScript verification that would remove non-numeric input while the user is typing in
Implement backward solution for the situation when JavaScript is off, either display an error message or round the value but then display a message saying "your input has been adjusted"
ADDED: Also be aware that the character that separates the fractional part from the integer one differs from country to country. In US I believe it is '.', in Europe it is usually ','. If your applications is targeted at customers in different countries with varying number representation, it would make sense to implement the support for both characters in your application logic. Otherwise some users will get format error messages without knowing why - non-techie people are often unaware of this format issue.
How about validating the user input and accepting only numeric characters?
One solution would be to bring the incorrect input to the user's attention so they can correct it. Rounding can be too much of an assumption depending on the context.
Displaying an error message next to the amount something like this: "I'm sorry, we cannot supply you with 4.6 items. Please enter a whole number." ...or something along those lines.
Another solution would be to avoid displaying error messages by restricting the input field to only allow valid input. ie If you don't want 4.6 items...only allow the user to be able to type 0-9. If the user can't enter incorrect input then there is never any reason to display an error message.
Assuming you're talking about a web app here, you can limit the characters allowed in the input box.
Alternatively, IMO you could use spinner (+/-) controls to change the quantity.
I believe tesco.com does this.
The best solution according to me would be
Customer enters: 4.6
Value changes to 5 after submitting (or if 4.4, round it to 4)
Notice is displayed telling the user that only integers are valid and that the system has roundedy "your" input (4.6) to 5
One solution would be to inform the user that their selection is invalid when they tab off the edit field that's allowed them to enter the fraction.
A lesser option would be to round (down, unless you're greedy to sell 1 extra item), or to reject the input completely.
The best solution is to prevent fractions in the first place by giving them a slider or spin control to select only whole numbers.
At the end it's always safer add server side check.
So if the input it's not an integer value:
I will redirect the user to the same form.
I will set the field with the floor value (4).
I will put on top of the field a message like"This field must be an integer value. May be did you want 4 pieces of this product?"
In my opinion if your product is an shopping system then it makes sense that primary goal is to sell some items. Usually customers want to perform as less actions as possible, so the system should predict what customer could possibly want when typing incorrect inputs.
Amazon Rounds down (4.6->4, 1.3->1) - the best for me, because everything after the decimal point can be destined to some other input;
FireBox Rounds (4.6->5, 1.3->1) - as for me I don't like when someone want to sell me more than I want to buy, so better 'floor' than 'round';
Ebuyer ignores the input (no error) - then you'll sell nothing and user needs to enter some values once again;
Expansys removes the item from your basket - terrible, now I need to search for the item in the shop once again;
I'm assuming some site will show an error. - not bad but required user to retype value;
I would implemented as Amazon plus informing user that input was not fully clear and asking him to recheck the value. So if the system guessed right then user need to change nothing but if he mistyped he'll see it immediately.
Also you could log all this kind of incidents and then perform an analysis, what user typed for the first time and what was the actual count he bought. Just for curiosity...
Well, you definitely should never round up. You should not ever bill for more materials than the customer requested, no matter how inane the request.
Related
I have a component of an experiment that asks participants to choose between earning 10 immediate points or a larger point amount in two weeks (points are later converted to dollar amount to provide incentive to the "larger later" choice). The later amount offered varies based on previous choices. The participant is given feedback on the choice he/she just made in the next routine. To set this up, I generated this in the code component in builder:
if key_resp_4.keys == 'left':
feedback = 'You chose 10 points immediately'
TotalNow = TotalNow + 10
add = (amount - 10)/2
amount = add + amount
elif key_resp_4.keys == 'right':
feedback = 'You chose more points in two weeks'
TotalLater = TotalLater + amount
amount = (amount + 10)/2
elif key_resp_4.keys in ['', [], None]:
feedback = 'You did not make a choice. No reward given.'
amount = amount
The "amount" variable generates a numeric value, which is updated based on a left or right response. "TotalNow" and "TotalLater" keep track of the total points earned for each condition and are displayed in the next screen. These variables are working just fine.
My problem lies within the feedback variable. I've run through the script quite a few times to better understand what is happening. For most of the trials (though not all)--regardless of whether or not I make a key press--the feedback screen prints the message designated for a non response: "You did not make a choice..." Here's the strange part, though. On the feedback screen, the "TotalNow"/"TotalLater" variables display point values indicating that I DID make a key response, even though the "feedback" text variable reports that I didn't. Further, the next trial shows the updated "amount" variable correctly.
Therefore, there seems to be some disconnect between the key response and the result shown by the "feedback" variable in the next routine. I suspect that the key response may be lagging. I suspect this because I have found that I am able to make two key responses in one trial (as evidenced by extra points appearing in the point total shown in the next routine). I have set the key response component to force the end of the routine, store only the first key, and discard any previous responses. Even with these settings, though, it is possible to make two responses.
Does anybody have ideas as to why these events are occurring? I'm puzzled by this myself. Any help is much appreciated.
-Ben
This is a rather unsatisfactory answer, but I resolved the issue first by following Jonas's advice and then by removing an extraneous loop that became obsolete through the programming of the experiment. This does not specifically answer the question of why the key response was lagging, but it seems to be working well now.
We’re using JCo 3.0 to connect to RFCs and read data from SAP R/3. We use one RFC RFC_READ_TABLE often and use a second custom RFC to read employee information. My questions revolve around a third RFC RSAQ_REMOTE_QUERY_CALL. I'm calling an ad-hoc query I built in SAP using this RFC but I’m not getting the expected results. The main problem is that it appears that SAP is ignoring one of my selection criteria and using what was saved in SAP when I originally built it. The date criterion stored in my ad-hoc is 6/23/2013. If I pass in 6/28/2013 from JCo, I get the same results as if I had passed 6/23/2013 from JCo.
We have built several ad-hoc queries whose only criteria is a personnel number and call them successfully using RFC RSAQ_REMOTE_QUERY_CALL.
Background on my ad-hoc query: reporting period of today, joining together four aspects of an employee’s information: their latest action (hire, rehire, etc.), organization (e.g. company), pay (e.g. pay scale level) and communication (e.g. email). The query will run every workday.
Here are my questions:
My ad-hoc has three selection criteria. The first two are simple strings. The third is a date. The date will vary each time the query runs. We are referencing the first criteria using SP$00001, the second with SP$00002 and the third with SP$00003. The order of the criteria changes from the ad-hoc to SQ01 (what was SP$00001 in the ad-hoc is now SP$00003). Shouldn’t we reference them in the order defined in the ad-hoc (e.g. SP$00001)?
The two simple string selections are using OPTION “EQ”. The date criteria is using OPTION GT (greater than). Is “GT” correct?
We have some limited accessibility to SAP. Is there a way to see which SP$ parameters are mapped to which criteria?
If my ad-hoc was saved with five criteria but four of them never change when I call the ad-hoc from JCo, do I just need to set the value of the one or do I need to set the other four as well?
Do I have to call this ad-hoc using a variant (function.getImportParameterList().setValue(“VARIANT”, “VARIANT_NAME”))?
Does the Reporting Period have an impact on the date criteria? I have tried changing the Reporting Period to be PNPBEGDA = today and PNPENDDA = today and noticed no change.
Is there a way in SAP to get a “declaration” of your ad-hoc (name, inputs, outputs, criteria)? I have looked at JCoFunction.toXml() and JCoFunctionTemplate. These are good if you want to see something at runtime before it goes to SAP, but I’m looking for something I can use on the JCo end to help me write Java code that matches the ad-hoc.
I have looked at length on the web for answers to my questions and have not found anything that is useful. If there is anything which would help me, please let me know.
Thanks,
LM
Since I don't know much about SQnn, I won't be able to answer all of your questions...
I don't know, sorry.
It should be, at least it's the usual operator for greater than.
Yes - set an external breakpoint right inside the function module and trace its execution while performing the RFC call. Warning: At least basic ABAP knowledge required.
I don't know, sorry.
I don't know either, sorry.
That would depend on the query, I suspect...
JCo won't be able to help you out there - it doesn't know about queries, it only knows function modules. There might be other RSAQ_* function modules to get that information though.
I played with setting up a variant in SQ01 for my query. I added some settings in the variant that solved my problem and answered several of my questions in my post. The main thing I did was add a dynamically calculated date as part of my criteria. Here's how:
1. In SQ01, access menu "Go To" -> "Maintain Variants".
2. Choose your variant and in subobjects, choose "Attributes" and click "Change".
3. In the displayed list, find your date criterion.
4. Choose "D" in Selection Variable, choose a comparison option (mine was GT for greater than), and a "Name of a Variable" (really, this is the type of dynamic date calculation you need).
5. Go back to the Subobjects panel, choose "Values" and click "Change".
6. Enter any other criteria you need in the "Program selections" section.
7. Save the variant.
By doing this, I don't need to pass anything into the query from JCo. Also, SAP will automatically update the date criteria you entered in step #4 above.
So to to answer my questions from my original post:
1 and 4. It doesn't matter because I'm no longer passing anything in from JCo.
2. "GT" is Greater Than.
3 and 7. If anyone knows, I'd really like to find out.
5. Use the name you as it is in SAP (step #2 above).
6. I still don't know, but it's not holding me up.
I'm posting this in case anyone out there needs this type of information. Thanks to Esti and vwegert for helping me out.
Lately, have become interested in XSS and its prevention methods.
Most of the XSS prevention techniques focus on sanitizing the input for invalid characters and using them. This raises a question:
When it is obvious that the purpose is indeed an XSS attack why are we trying to strip the invalid characters and then going ahead with using the input instead of directly rejecting the input as such and sending the usage to an error page?
Am sure that everyone would have thought of this approach but somehow focus is on input validation,filtering and reusing instead of rejection. Why? What am I missing here?
The rule I use is, I use input validation to make sure data is valid according to the domain. If I expect a number and get a string of letters, I reject it. If however I have a text field that can include anything (like a comment on stack overflow), input validation and rejection is virtually impossible. So now I need to sanitize/output encode.
because mostly when input is wrong you already show an error page
for instance
page.php?id=a33
"select * from table where id = ".((Int)$_GET['id']);
the "num rows" value will be 0 because you are searching for:
"select * from table where id = 0";
in plus in some cases any string, even if corrupted can be useful for what the program is going to do, for instance a search string...
and again, don't do nothing can be frustrating for the user. better if sanitize and show a warning if some data were lost
I need to use current time because later on, another program will need to know when I generated the pin and whats the username and password.
Summary:
Username + password + current time = pin [6 digits]
Reverse, generated pin, I need to know which particular, and check if its already pass 1 minute.
I am not asking for direct code, but I need to know the best, not say best, good way/algorithm for it. Thanks (btw, I am cpp beginner)
EDIT:
I am sorry for not making things clear. Actually, I dun need the OTP, after generated the pin, the other program will need to run like this: validate {username} {password} {pin}
999999 minutes, gives ~694 days, ~1.9 years. So if you used all the entropy available just for recording the current time, you'd cycle the value in less than 2 years.
And things will be much worse if you want to include the username and password, and avoid easy guessing.
With 6 decimal digits, you can store about 19 bits of data. So you'll have to make sure that you have strong anti-brute-force protection on your server end, otherwise it'll be trivial to try all possible combinations.
One-time passwords do not have internal decode-able structure, they are typically used in addition to a normal password to act as a second factor in authentication. Then can be based on the time as you are suggesting, but are not reversible - the other end also has the secret key, and can generate the possible list itself.
So, for example, as well as entering a username and (normal) password, the user enters the value from a token, which is generated as AES(secretkey, currentminute), and the server computes AES(secretkey, currentminute) and AES(secretkey, currentminute-1) etc, to compare the value against. It might also record which token matches, so that it records an estimate of the token's clock accuracy, which allows some drift of the token's clock, as long as it's used frequently enough. To work out how to best use the 19 bits you have in a 6-digit pin, you'll need someone who is a real cryptographer - as I would guess that taking a simple truncation might be in-secure.
Promoted my earlier comment to an answer, as an afterthought:
I'm pretty sure it is deceiving to call this 'otp'. OTP is purely random and secret.
What you describe is a simple hash.
You could
MD5(username+password_hash+(seconds_past_1970%60))
I'm sure besides using public key encryption instead of the password, this is more or less how RSA keys do it.
Edit Oh yes: it will be pretty trivial to generate 6 digits from the resulting hash :)
I have a CEdit control that I want to be able to take time input from. Now I want this input to come in the form hh:mm:ss. Currently I am using a separate CEdit control for hour, mins, & secs. I know I could require the user enter in colons to separate hours, mins, secs, but this I believe will get confusing for my users.
I actually want my control to show the colons, and have the different sections of the control to be tab stops, so that it is clear to the user what time exactly they are entering in. I know I have seen this elsewhere, and I just don't know how to do it myself.
Ideally these would come in as 3 separate strings, because I am not using Epoch time, or any other type of system time, but am using my own time count. (ie. how many data samples we are into the file.) Meaning each time, my clock starts at zero, and counts up from there.
Thanks
Dan
Reformatting the text is simple enough, although I would wait until a lost focus message rather than insert colons while the user is typing, it gets confusing especially if they need to edit or delete a character.
You can implement tab stops within the field by getting VK_TAB but I'm not sure I would do this - users are used to tabs jumping to the next control not to positions within a control.
Another way to do this is to have 3 separate controls but detect when the user has entered enough characters for the first, or entered a tab (or colon) and then automatically switch focus to the next one. I think this is neater, it's what the IP_ADDRESS control does.
You'll have to handle each WM_CHAR (or WM_KEYUP, as appropriate) and re-format the text in the edit box as the user types. Handle the message for VK_TAB and set the selection as appropriate.