You are correct Charlie, it only puts the hidden field there to tell
the server how to validate it. A completely useless waste of time,
since those hidden fields are removed by anyone who wants to bypass
your validation. In order to do this correctly it would implement the
Apache Commons methodology of mapping a form name and formfield to a
specific validation on the server when the data is received. This is
done through reflection and cannot be influenced by the client.
-dhs
Dean H. Saxe, CISSP, CEH
[email protected]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Mar 10, 2009, at 11:53 AM, Charlie Arehart wrote:
Mischa, I'm curious what you're getting at here. Perhaps I missed
part of
what was being traded, but I was actually surprised by the assertion
Dean
made (that you repeated). CFInput does NOT *always* use a hidden
field to
force server-side validation. It only does that if you ask it to,
using the
ValidateAt="onserver", as you show. If you don't specify that, it
doesn't
add any hidden fields.
Or are you guys making a different point, about what it is that CF
does
create as that hidden field when you ask it to (using that attribute)?
I'm just trying to understand that, and also your subject line,
which seems
to be asserting yet something different (that it's only client side).
Help us out. It may just be me that's confused. :-)
/charlie
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Mischa
Uppelschoten ext 10
Sent: Monday, March 09, 2009 3:05 PM
To: Web Site
Subject: ValidateAt parameter is effectively only client side (was:
"re[2]:
[ACFUG Discuss] Password CFinput regular expression - throws alert/
error
after correction also")
: IIRC cfinput will always use a hidden form field on the client to
: force server side validation.
Dean is right:
<cfif isdefined("form")>
<cfdump var="#form#" show="MyNumber">
</cfif>
<cfform name="cfformtest">
<cfinput type="Text" validate="integer" validateat="OnServer"
name="MyNumber">
<cfinput type="Submit" value="submit" name="Submit">
</cfform>
<form name="RegularForm" method="post">
<input type="Text" name="MyNumber">
<input type="Submit" value="submit" name="Submit">
</form>
You can submit whatever you want using the second form.
I'm a bit disappointed because Adobe seems to have thought of and
made an
effort to prevent a similar situation with their Ajax implementation:
_cf_clientid is appended to the url for each http request.
/m
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=gin.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
