CFPARAM for Simple String Validation
With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.
I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation. One of the type attribute values that has been supported for quite some time is the variablename type.
This is handy for validating that a simple one word string has been been passed. According to the docs a varaiblename starts with a letter, underscore (_), or Unicode currency symbol, and contains letters, numbers, underscores, periods, and Unicode currency symbols, only. This means that this type has safety from cross site scripting attacks, and sql injection attacks.
The code may look something like this:
<cfparam name="url.action" type="variablename" default="edit">
If you have ColdFusion 7 you can one up this and limit the values passed in with a simple regular expression:
<cfparam name="url.action" default="edit" type="regex" pattern="(new|edit|delete)">
The regex example only allows the string's new, edit, or delete to be passed in. That's a solid way to validate our input strings.
Wouldn't it be nice however if you could do something like this:
<cfparam name="url.action" type="finite" list="new,edit,delete">
add to del.icio.us
| Tags: security, validation, cfparam, strings, xss, sql injection, regex
Related Entries
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- Web Application Vulnerabilities trump Buffer Overflows - November 2, 2006
- How to Get a Green SSL Certificate - November 18, 2009
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
Trackbacks
Trackback Address: 632/AFAD7701F3EBE068CF8482E82D7630C3
Comments
On 05/29/2007 at 3:56:20 PM EDT Michael Long wrote:
1
I find types to be of little use for validation, since the first error found throws an exception that gives you helpful information like the following:
Invalid parameter type.
The value cannot be converted to a numeric because it is not a simple value. Simple values are booleans, numbers, strings, and date-time values.
"The value"? Great. Now I know is that one of my numeric form fields threw an error, but not which one... guess I can tell the user to double-check ALL of his entries.
On 06/21/2007 at 8:37:20 AM EDT Gareth wrote:
2
I find this type of validation more useful to prevent SQL injection attacks, than to validate a user's input.
Validate the input client side with Javascript (if enabled), then validate they're not trying to do anything nasty with the data on the back end. Most of this type of error, seems to be from someone trying to do something malicious to the data, rather than someone entering their e-mail address incorrectly.
The alternate is to cftry/cfcatch each item, but of course that's going to create much more time and overhead.
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
Invalid parameter type.
The value cannot be converted to a numeric because it is not a simple value. Simple values are booleans, numbers, strings, and date-time values.
"The value"? Great. Now I know is that one of my numeric form fields threw an error, but not which one... guess I can tell the user to double-check ALL of his entries.
Validate the input client side with Javascript (if enabled), then validate they're not trying to do anything nasty with the data on the back end. Most of this type of error, seems to be from someone trying to do something malicious to the data, rather than someone entering their e-mail address incorrectly.
The alternate is to cftry/cfcatch each item, but of course that's going to create much more time and overhead.
