Users entering trailing slash on date search - hitting urlScan.

John Hodge kindly provided the solution!  I needed to validate that the user was sending me an actual date before proceeding to load the url:

<CFOUTPUT>
<input type="hidden" name="hosp" value="#hosp#">
<cfif IsDefined("special_day")>
<cfif IsDate(FORM.special_day)>
  <META HTTP-EQUIV=REFRESH CONTENT="0;URL=..\thisweek.cfm?SPECIAL_DAY=#SPECIAL_DAY#&hosp=#hosp#&#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#">
  One moment please....
<cfelse>
Please provide a valid date, ie mm/dd/yyyy.
</cfif>
</cfif>
</CFOUTPUT>

Thanks, John!

After having reviewed some examples of try/catch blocks I'm not having much success.  I agree, this type of thing should have been caught on the form by my validation - I tried typing some other things there and everything else is rejected intially by the validation on the cfinput tag. Including just one slash - / = rejected.  But /date/ is not rejected and is sent to the server where it hits the URLScan.  I'm not very familiar with try/catch blocks.  Here's what I tried to do and it doesn't recognize a good form date from a bad one.  The page just stops.

<cftry>

<cfcatch type="Any">
  <cfif IsDefined("special_day")>
   Please provide valid date format.
  <cfelse>
 
<CFOUTPUT>
<input type="hidden" name="hosp" value="#hosp#">
<META HTTP-EQUIV=REFRESH CONTENT="0;URL=..\thisweek.cfm?SPECIAL_DAY=#SPECIAL_DAY#&hosp=#hosp#&#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#">
</CFOUTPUT>
  <!--- <cfelse>
Please provide a valid date mm/dd/yyyy
</cfif>  --->
One moment please....
</cfif>
</cfcatch>
</cftry>

Client-side validation ought to detect and reject that trailing-slash.  Ditto server-side validation.  Either of these mechanisms should allow you to handle an ill-formed date of any sort.

Beyond this...  put any typecasting code on the server side into a <cftry> block.  If the value is ill-formed, an exception will be thrown which you can now <cfcatch>.  (As you prepare your error-message, use HTMLEditFormat() on the incorrect string-value if you decide to use it in your message, so that you don't create any opportunities for a cross-side scripting attack.)

I typically do any final server-side date validation in a CFC-routine which is designed to be used in a <cftry> block.  If this routine detects an error, it uses the <cfthrow> tag to generate an exception that, it knows, the form-routine will catch.  The CFC routine is constructed in such a way that, "'garbage in,' but ... if anything actually comes out, you know that it's not garbage."  Any "garbage in" will not return at all:  it will throw an exception.  In fact, I use this <cftry> mechanism, sometimes nested occurrences of it, to handle all of my "this is the last clear chance to stop garbage" validation.

Unfortunately the customer is insisting that users have the option of entering (incorrect) values.  Seriously, the customer thinks that the users should have the option of typing in the date or selecting it from the date picker.  I would think that by adding a cfif is defined to the page it's supposed to hit would help...but I'm working on that now and the problem is that the page appears to be passed by...as if that trailing slash is the last thing it sees...pays little attention to the next page - where there's a simple meta tag doing a refresh with the form date...

I tried adding this to the next page:

<cfset errMsg="">
<cfif Not IsDefined("special_day")>
<cfset errMsg="Improper date format.">
<CFABORT>
<cfelse><!--- proceed... --->

meta tag here

</cfif>

and it's hitting the urlScan...

Using a date picker.  Also using validation in the input.  Here's my code:

<cfform NAME="SPECIAL" method="POST" action="navigation\nav_week_chg2.cfm?#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#" onsubmit="doUpdate=0">
    <cfoutput>
        <input type="hidden" name="OldTargetDate" value="#TargetDate#" validate="date" message="Please provide a valid date format mm/dd/yyyy.">
  <input type="hidden" name="hosp" value="#hosp#">
    </cfoutput>
   Use calendar icon to select date.<br /><!--- DoCheckLength(this); --->
   <cfinput type="text" maxlength="10" size="10" name="SPECIAL_DAY" required="yes" validate="date" message="Please provide a valid date format mm/dd/yyyy.">
   <a href="javascript:show_calendar('SPECIAL.SPECIAL_DAY');">
   <img src="graphics/show-calendar.gif" width="24" height="22" border="0"></a>

Users are writing /09/ and hitting submit.  Validator isn't catching this I believe because of the last slash.  If I type /09 the validator works, if I add the last slash, it doesn't work.

Dan is right/will work. but you should be doing more from a UI standpoint, make it impossible for a user to input an incorrect date or a date in a different format [year-month-day / year/day/month etc.... ]

use a date picker, drop downs etc.

<cfinput validate="date">  will prevent that string from being submitted.

On the server, isDate("09/09/09/") will return false.