Users entering trailing slash on date search - hitting urlScan.

Report · Aug 12, 2009

I have a date search field in my cfform that is a cfinput field with validation and a javascript calendar so users can either type the date or use the calendar to insert the date properly. However, many still type in the date and when they type /09/ . This hits the url scan when I enter /09/ in dev, if I type /09 I hit the validator message. How can I strip out that trailing slash IF the user hasn't typed in the rest of the date. It's not likely they'll type 09/09/09/ - but if they did it's an invalid date so needs to be handled. Thanks for suggestions.

Report · Aug 12, 2009

<cfinput validate="date"> will prevent that string from being submitted.

On the server, isDate("09/09/09/") will return false.

Report · Aug 12, 2009

Dan is right/will work. but you should be doing more from a UI standpoint, make it impossible for a user to input an incorrect date or a date in a different format [year-month-day / year/day/month etc.... ]

use a date picker, drop downs etc.

Report · Aug 12, 2009

Using a date picker. Also using validation in the input. Here's my code:

<cfform NAME="SPECIAL" method="POST" action="navigation\nav_week_chg2.cfm?#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#" onsubmit="doUpdate=0">
    <cfoutput>
        <input type="hidden" name="OldTargetDate" value="#TargetDate#" validate="date" message="Please provide a valid date format mm/dd/yyyy.">
<input type="hidden" name="hosp" value="#hosp#">
    </cfoutput>
   Use calendar icon to select date.<br />
   <cfinput type="text" maxlength="10" size="10" name="SPECIAL_DAY" required="yes" validate="date" message="Please provide a valid date format mm/dd/yyyy.">
   <a href="javascript:show_calendar('SPECIAL.SPECIAL_DAY');">
   <img src="graphics/show-calendar.gif" width="24" height="22" border="0"></a>

Users are writing /09/ and hitting submit. Validator isn't catching this I believe because of the last slash. If I type /09 the validator works, if I add the last slash, it doesn't work.

In Response To devweb · Aug 12, 2009

ok - no prob, so if using a date picker, then don't give them a form field to write in... use a hidden field + javascript copy for the date.

Report · Aug 12, 2009

Unfortunately the customer is insisting that users have the option of entering (incorrect) values. Seriously, the customer thinks that the users should have the option of typing in the date or selecting it from the date picker. I would think that by adding a cfif is defined to the page it's supposed to hit would help...but I'm working on that now and the problem is that the page appears to be passed by...as if that trailing slash is the last thing it sees...pays little attention to the next page - where there's a simple meta tag doing a refresh with the form date...

I tried adding this to the next page:

meta tag here

</cfif>

and it's hitting the urlScan...

In Response To devweb · Aug 12, 2009

You'll probably have to pull out the docs for this one, but:

if the users can't be trusted to input a date in the correct format, then try to create a date object from their input [createODBCdate(form.date)] throw it in a cftry block, if it fails.... send them back with an error message.

you could try stripping off the trailing "/" but what happens when someone comes along and 2009-08-11$ or transposes the month day... ?

you could use drop downs for month day year... ifthe client is ok.

Report · Aug 12, 2009

Client-side validation ought to detect and reject that trailing-slash. Ditto server-side validation. Either of these mechanisms should allow you to handle an ill-formed date of any sort.

Beyond this... put any typecasting code on the server side into a <cftry> block. If the value is ill-formed, an exception will be thrown which you can now <cfcatch>. (As you prepare your error-message, use HTMLEditFormat() on the incorrect string-value if you decide to use it in your message, so that you don't create any opportunities for a cross-side scripting attack.)

I typically do any final server-side date validation in a CFC-routine which is designed to be used in a <cftry> block. If this routine detects an error, it uses the <cfthrow> tag to generate an exception that, it knows, the form-routine will catch. The CFC routine is constructed in such a way that, "'garbage in,' but ... if anything actually comes out, you know that it's not garbage." Any "garbage in" will not return at all: it will throw an exception. In fact, I use this <cftry> mechanism, sometimes nested occurrences of it, to handle all of my "this is the last clear chance to stop garbage" validation.

Report · Aug 12, 2009

After having reviewed some examples of try/catch blocks I'm not having much success. I agree, this type of thing should have been caught on the form by my validation - I tried typing some other things there and everything else is rejected intially by the validation on the cfinput tag. Including just one slash - / = rejected. But /date/ is not rejected and is sent to the server where it hits the URLScan. I'm not very familiar with try/catch blocks. Here's what I tried to do and it doesn't recognize a good form date from a bad one. The page just stops.

<cftry>

<cfcatch type="Any">
<cfif IsDefined("special_day")>
Please provide valid date format.
<cfelse>

<CFOUTPUT>
<input type="hidden" name="hosp" value="#hosp#">
<META HTTP-EQUIV=REFRESH CONTENT="0;URL=..\thisweek.cfm?SPECIAL_DAY=#SPECIAL_DAY#&hosp=#hosp#&#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#">
</CFOUTPUT>

One moment please....
</cfif>
</cfcatch>
</cftry>

Report · Aug 12, 2009

John Hodge kindly provided the solution! I needed to validate that the user was sending me an actual date before proceeding to load the url:

<CFOUTPUT>
<input type="hidden" name="hosp" value="#hosp#">
<cfif IsDefined("special_day")>
<cfif IsDate(FORM.special_day)>
<META HTTP-EQUIV=REFRESH CONTENT="0;URL=..\thisweek.cfm?SPECIAL_DAY=#SPECIAL_DAY#&hosp=#hosp#&#Dateformat(SPECIAL_DAY, "mm/dd/yyyy")#">
One moment please....
<cfelse>
Please provide a valid date, ie mm/dd/yyyy.
</cfif>
</cfif>
</CFOUTPUT>

Thanks, John!