## CFINPUT Integer Validation Flaw

As per this TechNote, allows the dollar symbol (\$) to bypass generated client side validation. I don’t know how long this has been the case, but the solution (as noted in the TechNote) is to use a regular expression instead.

## 5 responses to “CFINPUT Integer Validation Flaw”

1. Peter Tilbrook

Can you add that to the "fix" list for "Bentaur" aka CF9?

Just a note: the suggested regex on the TechNote is wrong / suboptimal: it will reject negative integers, plus WILL accept leading zeros (I’m not sure if the latter is a problem: seems wrong to me though). Something like this should do the trick:
^((-?[1-9][0-9]*)|0)?\$
(I gave that about 30sec thought, so might not be foolproof…)
Also, if checking for integers on a computer system, it’s perhaps best to do bounds checking too. The maximum value for an integer in CF is… what? 2^32 -1 (or something like that?)
As the previous commenter suggested, now’s a good time to get this included in the mix for CF9. I’ll make sure it gets put on the radar, at least.

3. Susan

I have been trying out using the regular expressions to validate and integer entry and find that the regex posted here as well as the one in the tech notes still allows the dollar symbol to bypass.

4. Peter Fralin

I too have found that the regular expression method fails, the only client side kludge I have been able to get to work is this…
<script>
function doCheck(obj){
if(obj.match(/[^d.]/)){
document.getElementById(‘test’).value=”;}
}
function ToDollarsAndCents(n) {
var s = "" + Math.round(n * 100) / 100
var i = s.indexOf(‘.’)
if (i < 0) return s + ".00"
var t = s.substring(0,i+1) + s.substring(i+1,i+3)
if (i + 2 == s.length) t += "0"
return t
}
</script>
<cfinput type="Text" name="amount" range="1,10000" message="You must indicate the amount you wish to submit for this payment" validate="regex" pattern="^((-?[1-9][0-9]*)|0)?\$" validateAt="onSubmit" required="Yes" size="5" maxlength="7">

5. Peter Fralin

MY Bad, the cfinput tag shown above should be…
<cfinput type="Text" name="amount" range="1,10000" message="You must indicate the amount you wish to submit for this payment" required="Yes" size="5" maxlength="7" onkeyup="doCheck(this.value)">