The following considerations affect the validation technique that you select:
The table in the preceding section described some of the considerations (see Validation techniques). The following table describes additional considerations for selecting a validation technique. For additional considerations that are specific to form fields, see Validation type considerations.
Validation technique |
Features |
Considerations |
Security issues |
---|---|---|---|
mask (mask attribute) |
Directly controls user input. |
Limited to cfinput tags. Provides limited control over user input patterns. |
In HTML and XML format, can be circumvented because JavaScript runs directly in the browser. |
onBlur (validateat="onBlur" attribute) |
Provides immediate feedback if a user enters invalid data. |
Limited to cfinput and cftextarea tags. In HTML or XML format, requires the browser to enable JavaScript. |
In HTML and XML format, can be circumvented because JavaScript runs directly in the browser. |
onSubmit (validateat="onSubmit" attribute) |
All entered data is available to the user; only the invalid data needs reentering. |
Limited to cfinput and cftextarea tags. In Flash format, is identical to onBlur. In HTML or XML format, validates after all fields have been entered, and requires the browser to enable JavaScript. |
In HTML and XML format, can be circumvented because JavaScript runs directly in the browser. |
onServer (validateat="onServer" attribute) |
Does not require browser support. |
Limited to cfinput and cftextarea tags. |
Can be circumvented because validation rules are submitted with the form. |
Hidden form field |
Does not require browser support. Can be used with HTML or CFML form elements. |
Limited to forms. |
Can be circumvented because validation rules are submitted with the form. |
JavaScript (onValidate = " |
Allows all on-client processing supported by the browser. Can be used with HTML or CFML form elements. |
Limited to specific ColdFusion form tags. Calls a single JavaScript function. JavaScript levels of support can vary among browsers, and users can disable JavaScript in their browsers. |
Can be circumvented because JavaScript runs directly in the browser. |
IsValid function |
Can be used for any variable, not just form fields. Returns a Yes or No result that you use to determine further processing. |
When used with a form field, runs after the data is submitted. Must be used each time a variable needs to be validated. Provides some data type checks not available in forms validation techniques. |
None |
cfparam tag |
Can be used for any variable, not just form fields. The tag can set a default value in addition to validating data. |
When used with a form field, the tag runs after the data is submitted. You respond to validation failures using error-handling code. |
None |
cfargument tag |
Used for arguments to functions written using the cffunction tag. |
Runs when the function is called on the server. You respond to validation failures using error-handling code. |
None |
Although form-specific validation techniques provide good methods for preventing users from submitting invalid or badly formatted data, they cannot prevent users from submitting maliciously formatted data from HTML forms. Malicious users can circumvent validation techniques that require validation on the browser using JavaScript or submission of validation rules in hidden fields. If you must use a technique for preventing malicious data submissions, consider using the following techniques: