Are there browsers that don't support maxlength?

Question

I have a contest entry page on my company\'s website. In order to enter the contest, you create a login, which is just an email and a 4-digit pin. Here\'s the PIN field:

Answer 1

several of the emails I've received show that the user has created a pin with more than 4 characters.

How is this possible? Are there browsers that don't support maxlength?

I would investigate the USER_AGENT and REFERER headers related to those user activities. Perhaps a malicious user submitted forms programmatically circumventing the browser restrictions, just to check your perimeter defense. If so you should see some patterns there.

Anyway these educated guesses aside, maxlength should not be treated as a means of securing the input. Anything client-side is not under your control, it exists merely to make user interface more intuitive, interactive. You should always check everything on the server. In that case, the PIN being composed of 4 digits, otherwise reject the input. The golden rule is to treat all user input as hostile and thoroughly validate it on the server.