> thanks for the replies. just so i understand: My philosophy is that it simply should not be possible for anyone (user, bot, whatever) to generate a ColdFusion error (which by extension means database errors since they are expressed through the CF error handler). This means very strong server side validation and gracefully handing error conditions back to the user. In some cases, instead of returning an error we just assume reasonable defaults and force the submitted value to either be a valid selection or the default we select.
For example, for an e-mail address field we would param the form field, trim it, ensure a value is present, test that value against the isValid() function with the "email" type to ensure a proper format, then check the length against the database varchar field length. If it's too long we can return an error to the user and ask for a different address (and optionally notify someone that perhaps we should increase the field size). For something like a checkbox with a form value of 1, we might do: <cfset form.field = min(abs(val(trim(form.field))), 1) /> This forces the value to either be 0 or 1 no matter what was submitted by the user/bot/whatever. We follow that up with a CFQUERYPARAM on the database call with a type of bit, and it will always pass through gracefully (assuming there were no other error conditions). Yes, that's a lot of work to do, but it's not that hard to develop a validation routine to abstract it all away and automate the process (someone mentioned validatethis, which does a great job of this). Once the server-side is locked down you can focus on the client-side validation. This gives you two benefits: 1) The core of your site will function without JavaScript. This is great for that small fraction of paranoid or annoyed users who simply turn it off. 2) More importantly, it will help protect the site against malware attacks, bots, security scanners, and the like, all of which simply ignore your client-side validation and send whatever they want to the server. When your client decides to add e-commerce down the road and you're getting scanned by McAfee or SecurityMetrics on a regular basis you will appreciate all that validation as it will handle all the crap that the scanners throw at the forms without breaking a sweat. Cleaning up database tables after 6,000 junk entries got inserted because you relied on client-side validation (and even so-called database validation as long as the strings weren't too long and the right data types) is really not fun and entirely preventable. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337379 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
