is there a way to bypass the form Validation

Report · Apr 09, 2009

I'm getting really upset with the Coldfusion built-in form validation for any HTML formfield ending by _date , _required, _time and so on...

My application proposes to the users to create some Properties for an object and later on to modify the values for all these properties.

I've got a piece of code building dynamically some form fields named just like the properties (by a simple cfloop on a DB query getting the property list).

And a registering page to records the new value in the DB.

But it crashes onto the classical "

Form entries are incomplete or invalid.

I can't control what the users set as property name (one of them was Checklist_required).

Is there any way to prevent this error by disabling this auto validation ?

(I'd like to avoid having to rename any field dynamically created and rename any forms variables before registering them on the DB : it's just NO WAY for me to rename the properties created by the users)

Report · Apr 09, 2009

Looks like there is no way currently to switch this off. I found this blog entry that discusses this old feature of CF coming back to haunt us.

I would suggest filtering user input and replace the _ for a - or some other symbol to avoid triggering it?

Report · Apr 09, 2009

Hi,

The form validation is a feature of the <cfinput> tags.

You could use regular html tags <input>, to avoid the form validation feature for these fields.

cheers,

fober

Report · Apr 14, 2009

No.

Regular HTML input tags are subject to the same checking. (It would have been too easy otherwise).

I can't even remove the Form variable in the Application.cfm because I do need the value entered by the user...

Does anyone have an idea whether Macromedia plan to allow this feature to be disabled in any way ?

Report · Apr 14, 2009

Hi David d'Alsace, i guess you email to the wrong person. This forum is not posted by me.Are you good in cfml? (COLDFUSION programming)

Report · Apr 14, 2009

Hi,

The fields are only verified if you are using cfform.

Can you replace that with a html form tag.

cheers,

fober

p.s. you could also something to the name attribute:

Report · May 08, 2009

Fober1, that's not how it works. It's pretty much the ultimate example of the disjoint between how HTML forms work and how the naive CFML Cfform / cfinput design wished they work.

When a request is being processed by the coldfusion server, it just looks at the list of FORM (POST) variable names (whether it came from cfform or not; URL/GET params are exempt), and for those with certain suffixes (_date, _required, etc.), and it assumes their existence is intended to request validation another field without that suffix. It doesn't actually know or care whether form submission, nor the HTML rendered in the user's browser, actually came from "cfform" or "cfinput". The composition of the request that comes in (when a user clicks on "submit", or a hacker uses any tool imaginable) is out of the server's hands. The cfform code is not used during form submission processing, because the receiving template (the form action="this_one.cfm") doesn't even have to be the same template that has the cfform in it. There could be multiple conflicting cfforms directing users to request the same template on a single site, with or without the validation, even without considering what a whole other person might decide to send to your server.

The fact that it can work as intended for a typical user is irrelevant, because the purpose of validation is to deal with the atypical situation. A malicious or merely mischievous user that wanted to circumvent the validation would simply modify a copy of the page to leave out the "validation request" fields. For the developer to truly validate the input, additional code must be written, making the feature not only inadequate, but a complete waste of time. There absolutely should be a way to disable it at worst; Ideally, it would be taken out of coldfusion completely. It's not only useless, it's a security risk, wooing programmers to write code that doesn't do what they think it does.

The error message it gives isn't so great, either, and it's a pity that it can't show more than one validation message at a time, either. If more than one input is invalid, you could end up going through one round after another of submit + back button.

edit: I forgot to add the other important reason that this feature should never have existed: It is a nuisance to everyone else who doesn't want to use it at all, too! Those suffixes simply couldn't have been a worse choice, colliding with probably thousands of peoples' variable names. Why not "*_cfval_date" "*_cfval_time" etc?

Report · May 08, 2009

I'm going to have to defend CF a bit here. It can be a useful feature, especially how old it is. This functionality is from the early days of CF, I think it dates back to CF 4 or 3 or maybe earlier. Back then the Internet was young and some of this was still being worked out. I don't beleive it is a security risk as all a person can do by mangling their forms or submitting false forms is to spit back error messages at themselves.

The concept that it is client side validation and should never be trusted is a true statement of ALL client side validation. Client side validation is for the client to make user experiences nicer. It is never to protect the server. One MUST ALLWAYS do server side validation wether client side was done or not.

I can agree that "_date" was not the best thought out trigger. It could have been something a little less common so as not to so easily to be stumbled upon unintentionally. But unfortunatly it was choosen and now we have to live with it. I'm not sure removing from ColdFusion is going to happen anytime soon as long as some use exists of the functionality and some choose to use it.

Report · May 08, 2009

I appreciate your speaking up so even-tempered-ly. I didn't mean to breath too much fire on coldfusion - I use it and I like it, I just don't like this one feature. (I could come up with a few others if I put my mind to it, but who here couldn't? It's a big project.)

I do have to add that it's not really client validation either, though. The validation is performed on the server, but only at the request of the client. It's like you have to turn both keys NOT to launch the nuke. It's truly bizarre hybrid and uniquely unfit for use. It's a design that can lead people to make the most obvious (yet incorrect) inference, that this is some kind of server side validation, and that it is "safe" to trust it. I was just reviewing the docs and they don't make it too obvious, either.

Report · May 08, 2009

Some of your criticisms are quite valid. It is a strange hybrid. "_date" is a horrible choice for a trigger, even I still get caught by it and can spend quite a bit of time trying to track down strange behavior before I remember this gotcha. It is not clearly documented on what it is and what it does and that it is not safe to rely on.

But many of those are factors of it just being so damn old and from an early version of CF. I presume many of these criticsms are reasons that better version of form validation now exist that improve on many of these problems. But to maintain compatibility with those who use this functionality... it can't really just disappear. It has some advantages in that it does not rely on JavaScript so it can work in environments where this is not allowed. More common in days past, but still crops up now and then.

I just wish there was some way to output, log or somehow indicate to a developer what is happening so that when it does jump in from an unintentional field name it more clearly jumps out "OH YEAH, THAT SILLY _dataType VALIDATION FEATURE".

Report · May 12, 2009

"it can't really just disappear."

The win-win situation would be to add code allowing the faux-validation to be switched off entirely, from a checkbox in the coldfusion administrator, or at least to allow the text suffixes to be changed.

That being said, I think it really could just disappear, because it would only slightly alter the way in which a program is already broken. It's a feature that readily fails to perform its only stated purpose.

Report · Jul 13, 2009

Apparently ColdFusion 9 will have a setting to disable this behavior

http://www.coldfusionjedi.com/index.cfm/2009/7/12/My-first-ColdFusion-9-scoop--disable-server-side-validation

Report · Jul 13, 2009

If this were a bug fix going back into 7 or 8, I'd be clapping for joy, but as a forward looking fix in 9, it's just silly not to stop all this nonsense entirely. I like neat fixes, nipping problems in the bud, but now there's basically a new required line of code for all future application.cfc's. Now instead of "I forgot the list of highly desirable yet reserved suffixes list that would not be a consideration in any other programming language," it's become 'I forgot to put a special "Don't be stupid" rule in the application.cfc'. That will be fun to explain to junior developers as it has always been, but now it's a slightly longer story.

Well, I still owe Adobe a carefully guarded and qualified "Thank you" . . . It's marginally better than it was. So thanks, Adobe.

This feature is an easy target, and yes, I am kicking it when it's down. It's just a bunch of computer code, it doesnt' have feelings, so I am OK with that.

is there a way to bypass the form Validation

Form entries are incomplete or invalid.

Photos