Form variable populated in request, but empty string on receiving form

Question

Something weird or something obvious. I've inherited a coldfusion application, which I need to work with as it is for the meantime, including the widespread use of <CFFORM> etc.

We have a select list as follows:

<cfselect
     class="selGroup"
     query="get_merchant_categories"
     name="category_id"             
     display="category_name"                    
     value="unique_id"                      
     onclick="document.getElementById('Merchant_Groups_Form').submit();"
     size="15"> 
</cfselect>

This produces the following in the DOM:

<select name="category_id" id="category_id" class="selGroup" onclick="document.getElementById('Merchant_Groups_Form').submit();" size="15">
    <option value="1">Equestrian Sports</option>
    <option value="2">Other</option>
</select>

and the following page output:

Upon clicking the first item in the select list (Equestrian Sports), the request is seen as follows (NOTE: CSRFTOKEN is a hidden form field):

And the dump at the top of the receiving page is:

So, all is good there.

HOWEVER, when I click the second item in the list ("Other"), the request is OK and looks like this:

But, the dump on the receiving page looks like this:

Been trying to figure this out for over an hour and have no idea what is going on. Maybe someone's come across this before.

What do you see if you cfdump the form? Not related to your question, what happens when you use keyboard navigation on your form page? — Dan Bracuk, Aug 21 '20 at 12:56
Is it possible you are accidentally overwriting the value on the action page under certain conditions, or there is a scope conflict? To rule that out, create a simplified action page that ONLY dumps the FORM and URL scopes, and recheck the dump results. — SOS, Aug 21 '20 at 20:32
Yes, those are form dumps you see in the question. And the dumps are right at the top of the receiving page so there's no way that any conditional logic could change their values. You have to click on a select list item to initiate the form submission. I've used JS alerts to make sure the value has set before submission and the request data backs that up. I've updated the OP to shown the actual rendering of the select list. — user460114, Aug 21 '20 at 21:44
I've simplified everything right down to bare bones and I'm still getting the same result. I've even changed the select list to — user460114, Aug 21 '20 at 22:21
I might have vague recollections of this happening to me many moons ago. In your code, if the hidden form field precedes your select, try switching them around. — Dan Bracuk, Aug 22 '20 at 14:47
Also, is there an Application.cfm/cfc involved? What is curious is that usually, this kind of thing *always* happens. I.e. The field is always empty, not just for specific field values. — SOS, Aug 23 '20 at 18:13
Argh, you're right SOS. I've found the culprit.The application recently started using the "Cross Script Defender" cfc after we got a bad security report. Application.cfc calls that component on every request, whereby request variables pass through a series of security checks. Unfortunately, the cfc auto-assigned a "boolean" data type when it first encountered "category_id" and wrote that to the db. So, all future checks wanted a boolean. That's why it passed when category_id=1, but not when category_id=2. Write your suggestion in a formal answer and I'll mark it correct. And thanks Dan too. — user460114, Aug 24 '20 at 05:59
@user460114 - If you think it'll be helpful to someone else, feel free to write up your findings as an answer. Knowing the application.cfm/cfc was the culprit (from the behavior), is an important point, but.. how you went about identifying the issue is the most useful part IMO — SOS, Aug 25 '20 at 14:34
@SOS, People can read the comments, where I've explained it. Without your prompt, I wouldn't have found it, so you get the reward. Basically, the lesson is: If all else fails, check application.cfm/cfc — user460114, Aug 28 '20 at 09:05

Form variable populated in request, but empty string on receiving form

0 Answers0