Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 752

DEVELOPING COLDFUSION 9 APPLICATIONS
Requesting and Presenting Information
Security considerations
Although form-specific validation techniques provide good methods for preventing users from submitting invalid or
badly formatted data, they cannot prevent users from submitting maliciously formatted data from HTML forms.
Malicious users can circumvent validation techniques that require validation on the browser using JavaScript or
submission of validation rules in hidden fields. If you must use a technique for preventing malicious data submissions,
consider using the following techniques:
• The
or
onSubmit OnBlur
• The
function and the
IsValid
CFML code.
• The tag in
cfqueryparam
"Enhancing security with
• The script protection option, which helps prevent cross-site scripting attacks. You can set this option on the
ColdFusion Administrator Server Settings > Settings page or by using the Application.cfc This.scriptProtect
variable or the cfapplication tag
this option, see the cfapplication tag page in the CFML Reference.
Data validation types
The following table lists the types of data you can validate when you use most ColdFusion validation techniques. It
does not include mask validation. Some validation types are not available for all techniques; in these cases the table
indicates the limitations. The
algorithms described in the following table, and most commonly have less functionality. The asterisk (*) in the Type
field column indicates that the field is required. For more detailed descriptions of the onServer validation algorithms,
see the table in "Validating form data using hidden
Type field
date
USdate *
eurodate *
time *
float *
numeric
integer *
range *
boolean
telephone *
zipcode *
validation in Flash forms, which use Flash built-in validation.
, and
cfparam cfargument
tags, which can help protect databases from malicious query input (see
cfquery
cfqueryparam" on page 416.
attribute. For more information on cross-site scripting attacks and
scriptprotect
and validation algorithms for Flash forms can vary from the validation
onBlur onSubmit
fields" on page 755.
Description
When validating on the server, allows any date/time format that returns true in the
function, including a time value. When validating on the client, same as USdate.
A U.S. date of the format mm/dd/yy, with 1- or 2-digit days and months, and 1-through 4-digit
years. The separators can be slash (/), hyphen (-), or period (.) characters
A date of the format dd/mm/yy, with 1- or 2-digit days and months, and 1- through 4-digit years.
The separators can be slash (/), hyphen (-), or period (.) characters.
When validating on the server, allows any date/time format that returns True in the
function, including a date value. When validating on the client, allows a time of format hh:mm[:ss]
[A/PM].
A number; allows integers. When validating form fields on the server, integer values are converted
to real numbers.
A number; allows integers. When validating form fields on the server, integer values are
unchanged.
An integer.
A numeric range specified by a
A value that can be converted to a Boolean value: Yes, No, True, or False (all case-independent), or
a number.
Standard U.S. telephone formats. Allows an initial 1 long-distance designator and up to 5-digit
extensions, optionally starting with x.
U.S. 5- or 9-digit ZIP code format #####-####. The separator can be a hyphen (-) or a space.
Last updated 1/20/2012
tags, which let you test variables and arguments in your
range attribute or max and min attributes.
747
IsDate
IsDate