ColdFusion's Server-side Form Validation
ColdFusion's built in server-side form validation often gets a bad rap, but this
past week it really came in handy. For those that don't know, ColdFusion can do
certain types of server-side validation depending on how you name your form
fields. All you need to do to trigger this validation is add a suffix to your
form field name. Here are the available validation options:
- _integer Verifies that the user entered a number.
- _float Verifies that the user entered a number.
- _range Verifies that a numeric value entered is within specified boundaries.
- _date Verifies that the user entered a date; converts to ODBC date format.
- _time Verifies that the user correctly entered a time; converts to ODBC time format.
- _eurodate Verifies that the user entered a date in a standard European date format; converts to ODBC date format.
- _required Verifies that the user entered a value.
One thing to note, if you want to require a field and do some sort of type validation this requires two separate fields. Generally this is done with hidden form fields. So, say you have a field named amount that you want to require and ensure it has a float value. Your form may look something like:
<form action="index.cfm" method="post">
<input type="text" name="amount">
<input type="hidden" name="amount_required">
<input type="hidden" name="amount_float">
<input type="submit">
</form>
The cool thing about this is that it works for both cfforms as well as plain old
HTML forms. This is where it really saved the day for me this week. We had
several HTML forms which had custom client-side JavaScript validation, however
some users were still able to enter invalid data into certain fields and this
was wreaking havoc on our system. I suspected that these users had JavaScript
disabled so I knew we needed to add server-side validation to the application.
The problem was the forms were pretty complex and we needed to do something
fast. That's were ColdFusion's server-side validation came to the rescue. We
were able to easily and quickly fix the issue just by adding a few hidden form
fields.
This experience highlights the fact that you can't rely on client-side form
validation (JavaScript) alone. Any client-side validation can easily be
circumvented, either intentionally or unintentionally. It is important to note
that while ColdFusion's server-side validation happens at the server, it also
relies on client-side code so it can be circumvented as well. In my case I was
working on an internal application and I knew our users were not intentionally
working around our JavaScript validation (they had nothing to gain by doing so)
so I felt it was an appropriate solution.
So in short, ColdFusion's server-side validation may not be the most robust or
secure server-side validation solution, but sometimes it may just be all you
need.
Hacker saves your form locally to his computer and changes values on the form. He loads his local copy in his internet browser and the form action is still as it was on your server. So, his local form posts to your server without the hidden fields. It's not as easy as turning off javascript, but it is certainly easily breakable.
thx
Example:
<cfset errorMsg = "">
<cfif not (structKeyExists(form,"email") and len(form.email) and isValid("email",form.email))>
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted">
</cfif>
<cfif not len(errorMsg)>
form ok, continue processing
<cfelse>
form bad <cfoutput>#errorMsg#</cfoutput>
</cfif>
should be
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted<br />">
I've been complaining about this since CF5.
It practicaly renders CF unusable when it comes to integrating with 3rd party services.