About ColdFusion validation

Data validation lets you control data that is entered into an application by ensuring that the data conforms to specific type or formatting rules. Validation techniques have the following features:

  • They let you provide feedback to users so that they can immediately correct information they provide. For example, a form can provide immediate feedback when a user enters a name in a telephone number field, or the form could force the user to enter the number in the correct format.
  • They help prevent application errors that can arise when processing invalid data. For example, a validation test can prevent a variable that is used in a calculation from having nonnumeric data.
  • They can help enhance security by preventing malicious users from providing data that takes advantage of system security weaknesses, such as buffer overrun attacks.
    ColdFusion provides several techniques to ensure that data is valid. These include techniques for validating form data and for validating ColdFusion variables. They also include techniques for validating form data before the user submits it to ColdFusion, or on the ColdFusion server.
    When you design data validation you consider the following factors:
  • The validation technique Whether to validate on the client's browser or on the server, and the specific server- or client-side validation technique, such as whether to validate when a field loses focus or when the user submits the form.
  • The validation type The specific method that you use to validate the data, including the rules that you apply to test the data validity, such as testing for a valid telephone number.

Validation techniques

Different validation techniques apply to different ColdFusion tags or coding environments; for example, you can use masking only in HTML and Flash format cfinput tags. Validation techniques also vary in where and when they execute; for example, on the client browser when the user submits form data, or on the server when processing data.
The following table describes the ColdFusion validation techniques:

Validation technique

Applies to

Where and when performed

Description

mask(mask attribute)

HTML and Flash format cfinput tags

On the client as the user enters data

ColdFusion generates JavaScript or ActionScript to directly control the data a user enters by specifying a pattern. For example, 999-999-9999 requires a user to enter ten digits, and automatically fills in the dash (-) separators to create a formatted telephone number.For detailed information on using masks, see Handling invalid data.

onBlur(validateat="onBlur" attribute)

cfinput and cftextarea tags

On the client when the data field loses focus

In HTML and XML format, ColdFusion generates JavaScript that runs on the browser to check whether entered data is valid and provide immediate feedback, if the entry is invalid.In Flash format, uses Flash built-in validation routines.

onSubmit(validateat="onSubmit" attribute)

cfinput and cftextarea tags

On the client when the user clicks Submit

In HTML or XML format, the validation logic is identical to onBlur validation, but the test is not done until the user submits the form.In Flash format, this validation type is identical to onBlur Validation. Flash checks do not differentiate between the two events for validation.

onServer(validateat="onServer" attribute)

cfinput and cftextarea tags

On the server when ColdFusion gets the submitted form

ColdFusion checks submitted data for validity and runs a validation error page if the data is not valid. You can use the cferror tag to specify the validation error page.

hidden field

All Forms, including HTML-only forms

On the server when ColdFusion gets the submitted form

ColdFusion uses the same validation logic as with onServer validation, but you must create additional, hidden, fields and you can use this technique with HTML tags or CFML tags.For detailed information on using hidden fields, see Validating form data using hidden fields.

JavaScript(onValidate ="function" attribute)

cfgrid, cfinput, cfslider, cftextarea, and cftree tags in HTML and XML format forms

On the client, when the user clicks Submit, before field-specific onSubmit validation

ColdFusion includes the specified JavaScript function in the HTML page it sends to the browser, and the browser calls it. For detailed information on using JavaScript for validation, see Validating form input and handling errors with JavaScript.

IsValid function

ColdFusion variables

On the server, when the function executes

ColdFusion tests the variable to determine whether it follows a specified validation rule and the function returns true or false.For more information on using the IsValid function for validation, see Validating data with the IsValid function and the cfparam tag.

cfparam tag

ColdFusion variables

On the server, when the tag executes

ColdFusion checks the specified variable. If the value does not meet the validation criteria, ColdFusion generates an expression exception.For more information on using the cfparam tag for validation, see, Validating data with the IsValid function and the cfparam tag.

cfargument tag

UDF and CFC function arguments

On the server, when a function is called or invoked

ColdFusion checks the argument value when it is passed to the function. If the value does not meet the validation criteria, ColdFusion generates an application exception.For more information on using the cfargument tag, see Writing and Calling User-Defined Functions.

 

Note: For more information on ColdFusion error handling, see Handling Errors.

Selecting a validation technique

The following considerations affect the validation technique that you select:

  • If you are validating form data, the techniques you use can vary depending on whether you are using HTML, Flash, or XML forms; for example, different form types have different validation limitations.
  • Different validation techniques are appropriate for different form controls and data types.
  • Available techniques vary depending on when and where you want the data validated; on the client or the server, when the user enters data or submits a form, or when ColdFusion processes a variable or function argument.
  • Each technique has specific features and considerations, such as the form of user feedback, feature limitations, and so on.
  • Security issues or concerns that apply to your environment or application can affect the technique you select.
    The table in the preceding section described some of the considerations (see Validation techniques above). The following table describes additional considerations for selecting a validation technique. For additional considerations that are specific to form fields, see Validation type considerations.

Validation technique

Features

Considerations

Security issues

mask(mask attribute)

Directly controls user input.

Limited to cfinput tags. Provides limited control over user input patterns.

In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.

onBlur(validateat="onBlur" attribute)

Provides immediate feedback if a user enters invalid data.

Limited to cfinput and cftextarea tags. In HTML or XML format, requires the browser to enable JavaScript.

In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.

onSubmit(validateat="onSubmit" attribute)

All entered data is available to the user; only the invalid data needs reentering.

Limited to cfinput and cftextarea tags. In Flash format, is identical to onBlur. In HTML or XML format, validates after all fields have been entered, and requires the browser to enable JavaScript.

In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.

onServer(validateat="onServer" attribute)

Does not require browser support.

Limited to cfinput and cftextarea tags.

Can be circumvented because validation rules are submitted with the form.

Hidden form field

Does not require browser support. Can be used with HTML or CFML form elements.

Limited to forms.

Can be circumvented because validation rules are submitted with the form.

JavaScript(onValidate = "function" attribute)

Allows all on-client processing supported by the browser. Can be used with HTML or CFML form elements.

Limited to specific ColdFusion form tags. Calls a single JavaScript function. JavaScript levels of support can vary among browsers, and users can disable JavaScript in their browsers.

Can be circumvented because JavaScript runs directly in the browser.

IsValid function

Can be used for any variable, not just form fields. Returns a Yes or No result that you use to determine further processing.

When used with a form field, runs after the data is submitted. Must be used each time a variable needs to be validated. Provides some data type checks not available in forms validation techniques.

None

cfparam tag

Can be used for any variable, not just form fields. The tag can set a default value in addition to validating data.

When used with a form field, the tag runs after the data is submitted. You respond to validation failures using error-handling code.

None

cfargument tag

Used for arguments to functions written using the cffunction tag.

Runs when the function is called on the server. You respond to validation failures using error-handling code.

None

Security considerations

Although form-specific validation techniques provide good methods for preventing users from submitting invalid or badly formatted data, they cannot prevent users from submitting maliciously formatted data from HTML forms. Malicious users can circumvent validation techniques that require validation on the browser using JavaScript or submission of validation rules in hidden fields. If you must use a technique for preventing malicious data submissions, consider using the following techniques:

  • The onSubmit or OnBlur validation in Flash forms, which use Flash built-in validation.
  • The IsValid function and the cfparam, and cfargument tags, which let you test variables and arguments in your CFML code.
  • The cfqueryparam tag in cfquery tags, which can help protect databases from malicious query input (see Enhancing security with cfqueryparam.
  • The script protection option, which helps prevent cross-site scripting attacks. You can set this option on the ColdFusion Administrator Server Settings > Settings page or by using the Application.cfc This.scriptProtect variable or the cfapplication tag scriptprotect attribute. For more information on cross-site scripting attacks and this option, see the cfapplication tag page in the CFML Reference.

Data validation types

The following table lists the types of data you can validate when you use most ColdFusion validation techniques. It does not include mask validation. Some validation types are not available for all techniques; in these cases the table indicates the limitations. The onBlur and onSubmit validation algorithms for Flash forms can vary from the validation algorithms described in the following table, and most commonly have less functionality. The asterisk (star) in the Type field column indicates that the field is required. For more detailed descriptions of the onServer validation algorithms, see the table in Validating form data using hidden fields.

Type field

Description

date

When validating on the server, allows any date/time format that returns true in the IsDate function, including a time value. When validating on the client, same as USdate.

USdate *

A U.S. date of the format mm/dd/yy, with 1- or 2-digit days and months, and 1-through 4-digit years. The separators can be slash (\/), hyphen (-), or period (\.) characters

eurodate *

A date of the format dd/mm/yy, with 1- or 2-digit days and months, and 1- through 4-digit years. The separators can be slash (\/), hyphen (-), or period (\.) characters.

time *

When validating on the server, allows any date/time format that returns True in the IsDate function, including a date value. When validating on the client, allows a time of format hh:mm[:ss] [A/PM].

float *

A number; allows integers. When validating form fields on the server, integer values are converted to real numbers.

numeric

A number; allows integers. When validating form fields on the server, integer values are unchanged.

integer *

An integer.

range *

A numeric range specified by a range attribute or max and min attributes.

boolean

A value that can be converted to a Boolean value: Yes, No, True, or False (all case-independent), or a number.

telephone *

Standard U.S. telephone formats. Allows an initial 1 long-distance designator and up to 5-digit extensions, optionally starting with x.

zipcode *

U.S. 5- or 9-digit ZIP code format #####-####. The separator can be a hyphen (-) or a space.

creditcard *

Strips blanks and dashes; verifies number using mod10 algorithm. The number must have 13-16 digits.

ssn * or social_security_number *

US. Social Security number format, #########. The separator can be a dash (-) or a space.

email *

A valid e-mail address of the form name@server.domain. ColdFusion validates the format only; it does not check that entry is a valid active e-mail address.

URL *

A valid URL pattern; supports http, https, ftp file, mailto, and news URLs.

guid *

A unique identifier that follows the Microsoft/DCE format, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x is a hexadecimal number.

uuid *

A universally unique identifier (UUID) that follows the ColdFusion format, xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx, where x is a hexadecimal number.

regex * or regular_expression *

Matches the value against a regular expression specified in a pattern attribute. Valid in HTML and XML format only; ignored in Flash format.

 

For more details on how ColdFusion handles data when it does onServer and hidden field validation, see Validating form data using hidden fields.

The following validation types can only be used in cfinput tags:

Type

Description

maxlength

Limits the input to a maximum number of characters specified by a maxlength attribute.

noblanks

Does not allow fields that consist only of blanks. ColdFusion uses this validation only if the required attribute is True.

SubmitOnce

Used only with cfform submit and image types; prevents the user from submitting the same form multiple times before until the next page loads, Use this attribute, for example, to prevent a user from submitting an order form a second time before getting the confirmation for the initial order, and thereby making a duplicate order, Valid in HTML and XML format only; ignored in Flash format.

You can use the following validation types in cfparam and cfargument tags and the IsValid function only:

Type

Description

any

Any type of value

array

An array of values

binary

A binary value

query

A query object

string

A string value or single character

struct

A structure

variableName *

A string formatted according to ColdFusion variable naming conventions.

Get help faster and easier

New user?