After my post on thelist I have received several off-list questions asking

What would you recommend, instead of disabling form's default submit behavior,
so that only the submit button will submit the form?

in one way or in another.

Although, I am sure Christian has much more to say I have a few words to say anyway.

So what can you do to disable form auto-submitting when pressing enter on a form field.
Actually nothing other than the solution I've proposed apriori (using onsubmit="return false;" in the form tag).

Here is why I do not recommend it:

Submitting form on pressing enter on an input field is the default behavior and it is useful in terms of accessibility. By adding onsubmit="return false;"

1. You override the behavior which is an accessibility disaster (that's why I do not recommend it).
2. You cannot be 100% sure (user may disable javascript or simply type javascript:document.forms[0].submit(); on the addressbar, both of which will submit the form, regardless of which control you put in the form, none the less)
   

Javascript is to enhance functionality, it is not to create functionality, nor can it be used to impose "so called" security controls to your web application.

Any kind of javascript security control can be easily bypassed by

1. Either disabling javascript
2. or using javascript: pseudoprotocol on the addressbar and calling your js function directly (as in javascript:document.forms[0].submit();
3. or using a developer toolbar and injecting your own js into the code (mozilla is excellent on this)
4. or writing a low-level application which gets and posts http requests and never messes with javascript at all.
   

These are what come to my mind immediately.

I am sure there are dozens of other ways around and hundreds of readily cooked hacker tools
to make these possible even to the novice to alter the http request with a few button clicks.

So what is the the ideal way of doing it?

I hear you say "Come and do it yourself then, I have deadlines and I am feeling my client's / boss' breath on the nape of my neck".

You're right from a certain point of view: It will help you save a day or two, at a cost of never-ending future nightmares.

If you think this won't affect you at all ("bana bişey olmaz abi") then do not spare your precious time and read the rest of this post -- just enjoy your way to the dark side :)

So coming back to my former question, "what is the ideal way of doing it?":

Actually it's dead obvious and simple:

1. First of all, disable your Javascript

As I mentioned above Javascript should be used to enhance functionality,
not to implement it.

Thus the first and immediate thing you should do is to disable javascript, post your form and
validate everything on server.

If server-side validation fails, redirect the user to the same page with a message explaining what has gone wrong.

(Hell No!!! when I say message, I never for ever mean, a Javascript alert or worse a pop-up,
embed your message directly into the page and preferably highlight the erroneous fields with css)

2. After making sure that everthing works """without""" JavaScript, enable JavaScript
and implement whatever client-side control you wish to do.

This may seem duplicating your development time but it can save you hours on the long run.

Of course, if you like having stomachaches once a week because you cannot wonder how on earth that bloody user entered those god-damn invalid data into the form, then that's your choice.

I don't know you, but I have better things to do like eating, sleeping...

 bu yaziyi sevdin mi?  hemen una ekle!