ColdFusion's Server-side Form Validation

ColdFusion's built in server-side form validation often gets a bad rap, but this past week it really came in handy. For those that don't know, ColdFusion can do certain types of server-side validation depending on how you name your form fields. All you need to do to trigger this validation is add a suffix to your form field name. Here are the available validation options:


  • _integer Verifies that the user entered a number.
  • _float Verifies that the user entered a number.
  • _range Verifies that a numeric value entered is within specified boundaries.
  • _date Verifies that the user entered a date; converts to ODBC date format.
  • _time Verifies that the user correctly entered a time; converts to ODBC time format.
  • _eurodate Verifies that the user entered a date in a standard European date format; converts to ODBC date format.
  • _required Verifies that the user entered a value.

One thing to note, if you want to require a field and do some sort of type validation this requires two separate fields. Generally this is done with hidden form fields. So, say you have a field named amount that you want to require and ensure it has a float value. Your form may look something like:

<form action="index.cfm" method="post">
<input type="text" name="amount">
<input type="hidden" name="amount_required">
<input type="hidden" name="amount_float">
<input type="submit">
</form>


The cool thing about this is that it works for both cfforms as well as plain old HTML forms. This is where it really saved the day for me this week. We had several HTML forms which had custom client-side JavaScript validation, however some users were still able to enter invalid data into certain fields and this was wreaking havoc on our system. I suspected that these users had JavaScript disabled so I knew we needed to add server-side validation to the application. The problem was the forms were pretty complex and we needed to do something fast. That's were ColdFusion's server-side validation came to the rescue. We were able to easily and quickly fix the issue just by adding a few hidden form fields.

This experience highlights the fact that you can't rely on client-side form validation (JavaScript) alone. Any client-side validation can easily be circumvented, either intentionally or unintentionally. It is important to note that while ColdFusion's server-side validation happens at the server, it also relies on client-side code so it can be circumvented as well. In my case I was working on an internal application and I knew our users were not intentionally working around our JavaScript validation (they had nothing to gain by doing so) so I felt it was an appropriate solution.

So in short, ColdFusion's server-side validation may not be the most robust or secure server-side validation solution, but sometimes it may just be all you need.

Comments
sandee['s Gravatar Which version of coldfusion are you using?
# Posted By sandee[ | 7/21/07 4:14 PM
Nathan Mische's Gravatar This was on 6.1. I should point out that 7 has quite a few more server-side validation options: http://livedocs.adobe.com/coldfusion/7/htmldocs/00...
# Posted By Nathan Mische | 7/21/07 9:32 PM
Michael Long's Gravatar Be better to use the isValid function so you can show your own error messages above the form. ColdFusion's "go back to the other page and fix it" error handling is atrocious.
# Posted By Michael Long | 7/22/07 11:43 PM
Justin Treher's Gravatar The main problem is that for public sites, a hacker could submit your form without the hidden fields. So, as long as you are prepared on the processing page if those values are still bad, you'll be ok.
# Posted By Justin Treher | 8/15/07 3:08 PM
Justin Treher's Gravatar I know you know this (your example was internal only) but I thought I would present an example in case someone with less experience finds this on google.

Hacker saves your form locally to his computer and changes values on the form. He loads his local copy in his internet browser and the form action is still as it was on your server. So, his local form posts to your server without the hidden fields. It's not as easy as turning off javascript, but it is certainly easily breakable.
# Posted By Justin Treher | 8/15/07 3:12 PM
Nathan Mische's Gravatar @Justin - That is exactly what I meant by "It is important to note that while ColdFusion's server-side validation happens at the server, it also relies on client-side code so it can be circumvented as well."
# Posted By Nathan Mische | 8/15/07 5:51 PM
Nico Janssens's Gravatar A question on all those comments, Is it best to do both ? Server-side and client-side validation, I want to use a client-side validation based on java to guide the user through the form but when the user submits I want the server to check (double-check) the values in case for example javascript was not enabled at the client-side... Is this the good workflow ?

thx
# Posted By Nico Janssens | 9/12/07 11:51 AM
Justin's Gravatar Yes, you should do both, but don't use the validateAt="onSubmit,onServer". Use onSubmit only for easy Javascript validation and do some home grown server side during the form processing.

Example:

<cfset errorMsg = "">

<cfif not (structKeyExists(form,"email") and len(form.email) and isValid("email",form.email))>
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted">
</cfif>

<cfif not len(errorMsg)>
form ok, continue processing
<cfelse>
form bad <cfoutput>#errorMsg#</cfoutput>
</cfif>
# Posted By Justin | 9/12/07 2:52 PM
Justin's Gravatar <cfset errorMsg = "#errorMsg#Email is missing or badly formatted">
should be
<cfset errorMsg = "#errorMsg#Email is missing or badly formatted<br />">
# Posted By Justin | 9/12/07 2:54 PM
Anthony's Gravatar If someone can figure out how to turn off server side validation please send me a note, it is driving me crazy. With no way to bypass it it is impossible to host a facebook app with CF8 since one of the field facebook posts to the app is FB_SIG_TIME which wont validate in CF since CF thinks it needs to validate every field ending in '_time'... very annoying
# Posted By Anthony | 9/20/07 11:23 PM
Harel Malka's Gravatar This, as far as my research at the moment goes, cannot be disabled.
I've been complaining about this since CF5.
It practicaly renders CF unusable when it comes to integrating with 3rd party services.
# Posted By Harel Malka | 11/15/07 9:55 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.