IsValid and field length

You can also use the IsNumeric() function to make sure that your form data that is numbers is a correct number.

This actually can go a long way to preventing the dreaded SQL Injection attack on your web application. You can also use the IsValid() function to validate that a number is an integer, and also use IsValid with the range option to restrict your numeric types to a specified range, which helps prevent a buffer overflow attack on your web application.

Use the IsDefined() function as well to verify that the form element actually exists after the Submit. IsDefined works a little differently than IsNumeric, here are the valid ways to use these functions, note that with IsDefined the variable name must be enclosed in Quotes.

IsNumeric(FORM.Name) - correct

IsDefined("FORM.Name") - correct

IsNumeric("FORM.Name") - not correct

IsDefined(FORM.Name) - not correct

As a general rule, web forms should be validated on the client side first with Javascript, and also on the server side with your scripting language when the form is submitted, with server side languages like ColdFusion, ASP.NET, or PHP. Having both client and server validation goes along way to protect your website from malicious activities.

Michael G. Workman

michael.g.workman@gmail.com

The isValid function does run on the server but does not check the length of anything.

To ensure submitted values are not to big, your first step is to restrict it on the form field itself.  HTML input fields have a maxlength attribute you can use.  Then, if you want to double check on the server, you can use the ColdFusion len function.