CFPARAM for Simple String Validation
With the addition of a dozen new
type values for the
cfparam tag in ColdFusion 7, it has become a handy tool for validation.
I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation. One of the
type attribute values that has been supported for quite some time is the
This is handy for validating that a simple one word string has been been passed. According to the docs a
varaiblename starts with a letter, underscore (_), or Unicode currency symbol, and contains letters, numbers, underscores, periods, and Unicode currency symbols, only. This means that this type has safety from cross site scripting attacks, and sql injection attacks.
The code may look something like this:
<cfparam name="url.action" type="variablename" default="edit">
If you have ColdFusion 7 you can one up this and limit the values passed in with a simple regular expression:
<cfparam name="url.action" default="edit" type="regex" pattern="(new|edit|delete)">
The regex example only allows the string's
delete to be passed in. That's a solid way to validate our input strings.
Wouldn't it be nice however if you could do something like this:
<cfparam name="url.action" type="finite" list="new,edit,delete">
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- Web Application Vulnerabilities trump Buffer Overflows - November 2, 2006
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HackMyCF Scanner Updated - February 1, 2011
- Using AntiSamy with ColdFusion - August 5, 2010
- Docker Container exited with code 137
- Why is my cron.daily script not running?
- Announcing FuseGuard Version 3
- CFSummit 2017
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151
- Java 9 Security Enhancements
- Upcoming CFML Conferences in April 2017
- CFSummit 2016 Slides