Does setting the “Size” of an Input Field in an HTML form truly restrict how much data you can type in it?
No. (niether does maxlength)
Not if someone wants to be all clever.
I use “size” (and when sensible “maxlength”) in my HTML as attributes of the inputs which suggest to the user the type of data I’m expecting… and also that way is a bit of a usability plus (otherwise, I would use CSS to “style” the size). Since I have convinced myself that setting size and maxlength are part of the content of that form regardless of whether styles are present, I usually don’t use CSS to set input size.
So using size, together with maxlength (make the size always a bit bigger than your maxlength, for Safari and other fat-fonted browsers) you can give a bit of easy feedback to a user that you are looking for a small amount of data in that input.
But the back-end validation must be the one to enforce the limit.
So HTML’s “size” just sets the physical width of the Input box?
Yes. It might also stop my typing in a browser, but people can change the front-end code in their browsers or in a text editor and still send a large amount of data if your form accepts it.
And am I understanding you correctly, that if I need to be certain that people on enter a 5-digit Zipcode, then I would need to use something like PHP check that?
The back end should always check the data being sent it. Programmers call user input “tainted” no matter the intentions of the user. Always taint-check your data.
whereas the back end, when checking, can flag all of those.