AdobeStock_455007340

CFINPUT Integer Validation Flaw

Home » CFINPUT Integer Validation Flaw

As per this TechNote, allows the dollar symbol ($) to bypass generated client side validation. I don’t know how long this has been the case, but the solution (as noted in the TechNote) is to use a regular expression instead.

5 responses to “CFINPUT Integer Validation Flaw”

  1. Peter Tilbrook Avatar
    Peter Tilbrook

    Can you add that to the "fix" list for "Bentaur" aka CF9?

  2. Adam Cameron Avatar
    Adam Cameron

    Just a note: the suggested regex on the TechNote is wrong / suboptimal: it will reject negative integers, plus WILL accept leading zeros (I’m not sure if the latter is a problem: seems wrong to me though). Something like this should do the trick:
    ^((-?[1-9][0-9]*)|0)?$
    (I gave that about 30sec thought, so might not be foolproof…)
    Also, if checking for integers on a computer system, it’s perhaps best to do bounds checking too. The maximum value for an integer in CF is… what? 2^32 -1 (or something like that?)
    As the previous commenter suggested, now’s a good time to get this included in the mix for CF9. I’ll make sure it gets put on the radar, at least.

    Adam

  3. Susan Avatar
    Susan

    I have been trying out using the regular expressions to validate and integer entry and find that the regex posted here as well as the one in the tech notes still allows the dollar symbol to bypass.

  4. Peter Fralin Avatar
    Peter Fralin

    I too have found that the regular expression method fails, the only client side kludge I have been able to get to work is this…
    <script>
    function doCheck(obj){
    if(obj.match(/[^d.]/)){
    alert(‘numbers only’);
    document.getElementById(‘test’).value=”;}
    }
    function ToDollarsAndCents(n) {
    var s = "" + Math.round(n * 100) / 100
    var i = s.indexOf(‘.’)
    if (i < 0) return s + ".00"
    var t = s.substring(0,i+1) + s.substring(i+1,i+3)
    if (i + 2 == s.length) t += "0"
    return t
    }
    </script>
    <cfinput type="Text" name="amount" range="1,10000" message="You must indicate the amount you wish to submit for this payment" validate="regex" pattern="^((-?[1-9][0-9]*)|0)?$" validateAt="onSubmit" required="Yes" size="5" maxlength="7">

  5. Peter Fralin Avatar
    Peter Fralin

    MY Bad, the cfinput tag shown above should be…
    <cfinput type="Text" name="amount" range="1,10000" message="You must indicate the amount you wish to submit for this payment" required="Yes" size="5" maxlength="7" onkeyup="doCheck(this.value)">

Leave a Reply