Selecting a validation technique

The following considerations affect the validation technique that you select:

If you are validating form data, the techniques you use can vary depending on whether you are using HTML, Flash, or XML forms; for example, different form types have different validation limitations.
Different validation techniques are appropriate for different form controls and data types.
Available techniques vary depending on when and where you want the data validated; on the client or the server, when the user enters data or submits a form, or when ColdFusion processes a variable or function argument.
Each technique has specific features and considerations, such as the form of user feedback, feature limitations, and so on.
Security issues or concerns that apply to your environment or application can affect the technique you select.

The preceding table in the Validation techniques section described some of the considerations. The following table describes additional considerations for selecting a validation technique. For additional considerations that are specific to form fields, see Validation type considerations.

Validation technique	Features	Considerations	Security issues
mask (`mask` attribute)	Directly controls user input.	Limited to `cfinput` tags. Provides limited control over user input patterns.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onBlur (`validateat=` `"onBlur"` attribute)	Provides immediate feedback if a user enters invalid data.	Limited to `cfinput` and `cftextarea` tags. In HTML or XML format, requires the browser to enable JavaScript.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onSubmit (`validateat=` `"onSubmit"` attribute)	All entered data is available to the user; only the invalid data needs reentering.	Limited to `cfinput` and `cftextarea` tags. In Flash format, is identical to onBlur. In HTML or XML format, validates after all fields have been entered, and requires the browser to enable JavaScript.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onServer (`validateat=` `"onServer"` attribute)	Does not require browser support.	Limited to `cfinput` and `cftextarea` tags.	Can be circumvented because validation rules are submitted with the form.
Hidden form field	Does not require browser support. Can be used with HTML or CFML form elements.	Limited to forms.	Can be circumvented because validation rules are submitted with the form.
JavaScript (`onValidate = "`function`"` attribute)	Allows all on-client processing supported by the browser. Can be used with HTML or CFML form elements.	Limited to specific ColdFusion form tags. Calls a single JavaScript function. JavaScript levels of support can vary among browsers, and users can disable JavaScript in their browsers.	Can be circumvented because JavaScript runs directly in the browser.
`IsValid` function	Can be used for any variable, not just form fields. Returns a Yes or No result that you use to determine further processing.	When used with a form field, runs after the data is submitted. Must be used each time a variable needs to be validated. Provides some data type checks not available in forms validation techniques.	None
`cfparam` tag	Can be used for any variable, not just form fields. The tag can set a default value in addition to validating data.	When used with a form field, the tag runs after the data is submitted. You respond to validation failures using error-handling code.	None
`cfargument` tag	Used for arguments to functions written using the `cffunction` tag.	Runs when the function is called on the server. You respond to validation failures using error-handling code.	None

Security considerations

Although form-specific validation techniques provide good methods for preventing users from submitting invalid or badly formatted data, they cannot prevent users from submitting maliciously formatted data from HTML forms. Malicious users can circumvent validation techniques that require validation on the browser using JavaScript or submission of validation rules in hidden fields. If you must use a technique for preventing malicious data submissions, consider using the following techniques:

The onSubmit or OnBlur validation in Flash forms, which use Flash built-in validation.
The IsValid function and the cfparam, and cfargument tags, which let you test variables and arguments in your CFML code.
The cfqueryparam tag in cfquery tags, described in Enhancing security with cfqueryparam, which can help protect databases from malicious query input.
The script protection option, which helps prevent cross-site scripting attacks. You can set this option on the ColdFusion MX Administrator Server Settings > Settings page or by using the Application.cfc This.scriptProtect variable or the cfapplication tag scriptprotect attribute. For more information on cross-site scripting attacks and this option, see the cfapplication tag page in the CFML Reference.

View comments in LiveDocs