ColdFusion's Server-side Form Validation

ColdFusion's built in server-side form validation often gets a bad rap, but this past week it really came in handy. For those that don't know, ColdFusion can do certain types of server-side validation depending on how you name your form fields. All you need to do to trigger this validation is add a suffix to your form field name. Here are the available validation options:


sandee['s Gravatar Which version of coldfusion are you using?
# Posted By sandee[ | 7/21/07 4:14 PM
Nathan Mische's Gravatar This was on 6.1. I should point out that 7 has quite a few more server-side validation options:
# Posted By Nathan Mische | 7/21/07 9:32 PM
Michael Long's Gravatar Be better to use the isValid function so you can show your own error messages above the form. ColdFusion's "go back to the other page and fix it" error handling is atrocious.
# Posted By Michael Long | 7/22/07 11:43 PM
Justin Treher's Gravatar The main problem is that for public sites, a hacker could submit your form without the hidden fields. So, as long as you are prepared on the processing page if those values are still bad, you'll be ok.
# Posted By Justin Treher | 8/15/07 3:08 PM
Justin Treher's Gravatar I know you know this (your example was internal only) but I thought I would present an example in case someone with less experience finds this on google.

Hacker saves your form locally to his computer and changes values on the form. He loads his local copy in his internet browser and the form action is still as it was on your server. So, his local form posts to your server without the hidden fields. It's not as easy as turning off javascript, but it is certainly easily breakable.
# Posted By Justin Treher | 8/15/07 3:12 PM
Nathan Mische's Gravatar @Justin - That is exactly what I meant by "It is important to note that while ColdFusion's server-side validation happens at the server, it also relies on client-side code so it can be circumvented as well."
# Posted By Nathan Mische | 8/15/07 5:51 PM
Nico Janssens's Gravatar A question on all those comments, Is it best to do both ? Server-side and client-side validation, I want to use a client-side validation based on java to guide the user through the form but when the user submits I want the server to check (double-check) the values in case for example javascript was not enabled at the client-side... Is this the good workflow ?

# Posted By Nico Janssens | 9/12/07 11:51 AM
Justin's Gravatar Yes, you should do both, but don't use the validateAt="onSubmit,onServer". Use onSubmit only for easy Javascript validation and do some home grown server side during the form processing.


<cfset errorMsg = "">

<cfif not (structKeyExists(form,"email") and len( and isValid("email",>
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted">

<cfif not len(errorMsg)>
form ok, continue processing
form bad <cfoutput>#errorMsg#</cfoutput>
# Posted By Justin | 9/12/07 2:52 PM
Justin's Gravatar <cfset errorMsg = "#errorMsg#Email is missing or badly formatted">
should be
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted<br />">
# Posted By Justin | 9/12/07 2:54 PM
Anthony's Gravatar If someone can figure out how to turn off server side validation please send me a note, it is driving me crazy. With no way to bypass it it is impossible to host a facebook app with CF8 since one of the field facebook posts to the app is FB_SIG_TIME which wont validate in CF since CF thinks it needs to validate every field ending in '_time'... very annoying
# Posted By Anthony | 9/20/07 11:23 PM
Harel Malka's Gravatar This, as far as my research at the moment goes, cannot be disabled.
I've been complaining about this since CF5.
It practicaly renders CF unusable when it comes to integrating with 3rd party services.
# Posted By Harel Malka | 11/15/07 9:55 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.