0

I have a question about validating form and url variables in coldfusion. For example I have a url that looks like, https://dev.abc.com/test.cfm?page_id=4&id=54658, however I updated the url to look something like: https://dev.abc.com/test.cfm?page_id=4&id=546589687534, in this case the page errors out and I get a "Invalid data 23254523456 for CFSQLTYPE CF_SQL_INTEGER" on the cfc call. How do I check the url variables in such situations, when the user meddles with the URL vars and make sure the page does not error out. Similarly with the form fields. I am using the regexreplace like below to clean up the form fields before processing. 

<cfset srchvar = ReReplace(srchvar,"\b(\w)","\u\1","ALL") />
<cfset srchvar = REReplace(srchvar,"[^0-9A-Za-z ]","","all") />

Is there any other checks that need to be applied?

Cœur
  • 37,241
  • 25
  • 195
  • 267
user747291
  • 821
  • 3
  • 20
  • 43
  • Checks that have to be applied depend on what you are looking to accomplish. Also, you can never guarantee that a page won't throw an error. You might want to look at global error handling. Also, replacing user input as opposed to reporting bad data to the user is not necessarily a good idea. – Dan Bracuk Sep 26 '16 at 15:20
  • 1
    For an overall better understanding of programming with security in mind, read this excellent document by Pete Freitag - [ColdFusion Developer Security Guide](http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cfml-developer-security-guide.pdf) – Miguel-F Sep 26 '16 at 15:23

2 Answers2

2

How do I check the url variables in such situations, when the user meddles with the URL vars and make sure the page does not error out?

<cfif !isValid('integer',URL.id)>
    <!--- Gracefully handle the error here --->
</cfif>

http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7fb9.html

Is there any other checks that need to be applied.

I typically try to validate all data before I throw it in a database or use it. I use isValid to check datatypes, check or trim strings that may be too long, validate the existence of data when I don't accept NULLs. That way, my database doesn't have to throw the error upon insert, but rather I can catch it before that step.

Leeish
  • 5,203
  • 2
  • 17
  • 45
  • Be careful validating dates. ColdFusion is pretty generous on this topic. – Dan Bracuk Sep 26 '16 at 17:42
  • 1
    .. and not just with dates: [Why isValid(“integer”,“1,5”) = YES?](http://stackoverflow.com/questions/11535979/why-isvalidinteger-1-5-yes). – Leigh Sep 28 '16 at 04:28
  • @Leigh very true. I've been burnt by some validation logic in the past. But as long as you handle errors gracefully it does ok. – Leeish Sep 29 '16 at 19:57
0

I'd guess your integer is too big for the type of database / driver you're using. If you're using JDBC:

The JDBC type INTEGER represents a 32-bit signed integer value ranging between -2147483648 and 2147483647.

Steve
  • 2,776
  • 3
  • 25
  • 44