Search code examples
coldfusioncoldfusion-9coldfusion-10

Is there any need for more server-side Form validation than when declaring arguments?

In my CFCs that handle form submissions, I am doing validation at the start of the function by declaring what arguments are required and what type they should be. As such:

<cfarugment name="forename" type="string" required="true"/>

What I am also currently doing is checking the value when inserting into the database. As such:

INSERT INTO Person (Forename)
VALUES
(
<cfif structKeyExists(ARGUMENTS, 'Forename') AND Len(Trim(ARGUMENTS.Forename)) GT 0>
<cfqueryparam value="#ARGUMENTS.Forename#" cfsqltype="cf_sql_nvarchar">
<cfelse>
NULL
</cfif>
);

Is there any need to check that the argument value exists and its length when its already been declared that its a required value?

Solution

  • You also need to

    1. run the data through an anti-Samy filter, which will strip out any invalid HTML entities and protect against Cross-site Scripting attacks
    2. verify that the form request is coming from your server using a Cross-Site Request Forgery token

    and that's just off the top of my head.