CFPARAM - New Features in CFMX 7
ColdFusion MX 7 is packed with lots of little new features, that are, well killer! I am starting a series on my blog called Little Things that Kill that will expose some of these killer new features and subtle improvements. And yes, the name is inspired by Bush (the band).
I am going to start the series with the CFPARAM tag. If your like me you use a CFPARAM tag to validate, and initialize all of your form, and url variables. While using something like:
<cfparam name="url.id" default="0" type="numeric">
Can help prevent SQL injection attacks, in most cases your id is stored as an integer in your database, the numeric type allows for decimal numbers, which if passed may cause your database to throw an exception.
ColdFusion MX 7.0 introduces the following new types:
- creditcard - After stripping blanks and dashes, a number that conforms to the mod10 algorithm. Number must have 13-16 digits.
- email - Valid address characters are a-zA-Z0-9_- and the period and separator. There must be a single at sign (@) and the text after the @ character must include a period.
- eurodate - A date in the form d/m/y, d-m-y, or d.m.y. The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Converts the input to ODBC date format. Allows entry of a time part, but removes it from the ODBC value.
- float - same as numeric
- integer - An integer of the range -2,147,483,648 -- 2,147,483,647
- range - a
numericvalue between the values specified in the
- regex - value must match the regular expression passed into the
- regular_expression - same as
- ssn - A nine-digit Social Security number. Can be of the form xxx-xx-xxxx or xxx xx xxxx.
- social_security_number - same as
- time - A time. Can be in 12-hour or 24-hour clock format, and can include seconds in the form hh:mm:ss or a case-independent am or pm indicator. Converts the input to ODBC time format. Allows entry of a date part, but removes it from the ODBC value.
- url - A valid URL. Must start with http:\\, https:\\, ftp:\\, file:\\, mailto:, or news:. Can include, as appropriate, username and password designators and query strings. The main part of the address can only have the characters A-Za-z0-9 and -.
- usdate - A date in the form m/d/y, m-d-y , or m.d.y, The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Does not convert the string to an ODBC value and does not allow a time part.
- zipcode - A 5-digit or 9-digit U.S. ZIP code. In 9-digit codes, the final four digits must be preceded by a hyphen (-) or space.
Some of the type descriptions above are from Macromedia Live Docs
So with these new type attributes we can simply use the following to validate that our id is an integer:
<cfparam name="url.id" default="0" type="integer">
If we want to validate an email address format we can use:
<cfparam name="url.email" type="email">
Side Note: For more complete email verification you might want to check out Email Verifier from cfdev.
But for me the coolest type is the
regex type. So if I want to validate that a string is all lowercase letters (a-z), and contains at least one letter:
<cfparam name="url.string" type="regex" pattern="[a-z]+">
Another cool type is the
range type, with it you can pass in a min and max value
<cfparam name="url.age" type="range" min="21" max="100">
There is one limitation of the range feature, and that is it operates on numerical values. Lets suppose you don't want people passing in that they are 24.5 years old, which in most cases you probably would not, you can do something like this:
<cfparam name="url.age" type="integer"> <cfparam name="url.age" type="range" min="21" max="100">
I first check and see that the age is an integer, then if it is I check the range. While this works, it would have been nice if
max worked with the
integer type as well. I didn't notice this during the beta, perhaps someone else did, and there is a valid reason for this limitation?
- CFFUNCTION and CFARGUMENT don't support new types in ColdFusion 7 - April 13, 2005
- 6 Tags for ColdFusion beginners - April 5, 2005
- Hash - March 15, 2005
- Strong Encryption Technote shows undocumented features - February 22, 2005
- CFTIMER - Little things in ColdFusion 7 - February 11, 2005
- Why is my cron.daily script not running?
- Announcing FuseGuard Version 3
- CFSummit 2017
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151
- Java 9 Security Enhancements
- Upcoming CFML Conferences in April 2017
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides