ColdFusion MX 7 is packed with lots of little new features, that are, well killer! I am starting a series on my blog called Little Things that Kill that will expose some of these killer new features and subtle improvements. And yes, the name is inspired by Bush (the band).
I am going to start the series with the CFPARAM tag. If your like me you use a CFPARAM tag to validate, and initialize all of your form, and url variables. While using something like:
<cfparam name="url.id" default="0" type="numeric">
Can help prevent SQL injection attacks, in most cases your id is stored as an integer in your database, the numeric type allows for decimal numbers, which if passed may cause your database to throw an exception.
ColdFusion MX 7.0 introduces the following new types:
- creditcard - After stripping blanks and dashes, a number that conforms to the mod10 algorithm. Number must have 13-16 digits.
- email - Valid address characters are a-zA-Z0-9_- and the period and separator. There must be a single at sign (@) and the text after the @ character must include a period.
- eurodate - A date in the form d/m/y, d-m-y, or d.m.y. The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Converts the input to ODBC date format. Allows entry of a time part, but removes it from the ODBC value.
- float - same as numeric
- integer - An integer of the range -2,147,483,648 -- 2,147,483,647
- range - a
numericvalue between the values specified in theminandmaxattribute. - regex - value must match the regular expression passed into the
patternattribute. - regular_expression - same as
regex - ssn - A nine-digit Social Security number. Can be of the form xxx-xx-xxxx or xxx xx xxxx.
- social_security_number - same as
ssn - time - A time. Can be in 12-hour or 24-hour clock format, and can include seconds in the form hh:mm:ss or a case-independent am or pm indicator. Converts the input to ODBC time format. Allows entry of a date part, but removes it from the ODBC value.
- url - A valid URL. Must start with http:\\, https:\\, ftp:\\, file:\\, mailto:, or news:. Can include, as appropriate, username and password designators and query strings. The main part of the address can only have the characters A-Za-z0-9 and -.
- usdate - A date in the form m/d/y, m-d-y , or m.d.y, The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Does not convert the string to an ODBC value and does not allow a time part.
- zipcode - A 5-digit or 9-digit U.S. ZIP code. In 9-digit codes, the final four digits must be preceded by a hyphen (-) or space.
Some of the type descriptions above are from Macromedia Live Docs
So with these new type attributes we can simply use the following to validate that our id is an integer:
<cfparam name="url.id" default="0" type="integer">
If we want to validate an email address format we can use:
<cfparam name="url.email" type="email">
Side Note: For more complete email verification you might want to check out Email Verifier from cfdev.
But for me the coolest type is the regex type. So if I want to validate that a string is all lowercase letters (a-z), and contains at least one letter:
<cfparam name="url.string" type="regex" pattern="[a-z]+">
Another cool type is the range type, with it you can pass in a min and max value
<cfparam name="url.age" type="range" min="21" max="100">
There is one limitation of the range feature, and that is it operates on numerical values. Lets suppose you don't want people passing in that they are 24.5 years old, which in most cases you probably would not, you can do something like this:
<cfparam name="url.age" type="integer"> <cfparam name="url.age" type="range" min="21" max="100">
I first check and see that the age is an integer, then if it is I check the range. While this works, it would have been nice if min and max worked with the integer type as well. I didn't notice this during the beta, perhaps someone else did, and there is a valid reason for this limitation?
Comments
Nice writeup, I wasn't aware of the new params. BTW: Your first RegExp example only requires one letter.
Thanks Anj, I just updated it to say one letter, thats what I had meant to write, but wrote two somehow?
Pete, Don't forget the new XML type as well.
Thanks Rob, the xml type was not listed in the History section in the docs, I Added a comment so they can fix it. I pulled my list of new types from the history section.
This is great but how do you trap input validation errors and create a friendly output message for the user that tells them specifically what problems were encountered?
Robert, One option (actually, the option that I am considering doing) would be to write a custom tag called <cf_param>. <cf_param> would have all of the same attributes as <cfparam>. Inside the cf_param tag, you would have a variation on the following theme: A try/catch block that would try the cfparam, catch any exceptions, and then display an elegant error message (if any are caught).
Neil, that sounds like a viable solution. I always wondered how other people did their validation. I still don't know that I like the idea of having validation errors basically generating runtime exceptions that have to be caught and handled. I have created an InputValidator component with methods such as (void) CheckRequiredField(), (void) CheckFieldFormat(), (void) CheckFieldType(), (void) CompareFields(), (void) CheckFieldRegEx(). I set a check on all the fields and then I run (bool) Validate() to see if all the fields are validated. After Validate() is run I can use (string) GetErrorMessage() and (struct) GetErrorFields() and can format my output based on this. I have found it to come in handy and save me coding time. I have a custom tagset for form inputs (cfform has been a dog mostly - don't know about CFMX7 though) that will accept the struct from GetErrorFields and will mark the input label's as red for those fields. It actually results in very little code and allows me to give the user a helpful message and helpful cues (by marking the offending inputs' labels). I'm actually suprised that ColdFusion does not offer more built-in functionality to handle all this as it seems to be a pretty standard task.
Guys, you might want to checkout the new IsValid function in CFMX 7 as well, see my post: http://www.petefreitag.com/item/224.cfm
Take a look at this system -- not for CFMX, but wondering if it would be worth porting it. Been studying CFMX for a new project, and been looking for something like AutoValidate. It provides secure server-side validation but allows rules for that validation to created in the form itself. saving massive amount of time. Have a look at the docs for a full explanation. http://www.autovalidate.com/