ColdFusion 9.0 Resources

Selecting a validation technique

The following considerations affect the validation technique that you select:

If you are validating form data, the techniques you use can vary depending on whether you are using HTML, Flash, or XML forms; for example, different form types have different validation limitations.
Different validation techniques are appropriate for different form controls and data types.
Available techniques vary depending on when and where you want the data validated; on the client or the server, when the user enters data or submits a form, or when ColdFusion processes a variable or function argument.
Each technique has specific features and considerations, such as the form of user feedback, feature limitations, and so on.
Security issues or concerns that apply to your environment or application can affect the technique you select.

The table in the preceding section described some of the considerations (see Validation techniques). The following table describes additional considerations for selecting a validation technique. For additional considerations that are specific to form fields, see Validation type considerations.

Validation technique	Features	Considerations	Security issues
mask (`mask` attribute)	Directly controls user input.	Limited to `cfinput` tags. Provides limited control over user input patterns.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onBlur (`validateat="onBlur"` attribute)	Provides immediate feedback if a user enters invalid data.	Limited to `cfinput` and `cftextarea` tags. In HTML or XML format, requires the browser to enable JavaScript.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onSubmit (`validateat="onSubmit"` attribute)	All entered data is available to the user; only the invalid data needs reentering.	Limited to `cfinput` and `cftextarea` tags. In Flash format, is identical to onBlur. In HTML or XML format, validates after all fields have been entered, and requires the browser to enable JavaScript.	In HTML and XML format, can be circumvented because JavaScript runs directly in the browser.
onServer (`validateat="onServer"` attribute)	Does not require browser support.	Limited to `cfinput` and `cftextarea` tags.	Can be circumvented because validation rules are submitted with the form.
Hidden form field	Does not require browser support. Can be used with HTML or CFML form elements.	Limited to forms.	Can be circumvented because validation rules are submitted with the form.
JavaScript (`onValidate = "function"` attribute)	Allows all on-client processing supported by the browser. Can be used with HTML or CFML form elements.	Limited to specific ColdFusion form tags. Calls a single JavaScript function. JavaScript levels of support can vary among browsers, and users can disable JavaScript in their browsers.	Can be circumvented because JavaScript runs directly in the browser.
`IsValid` function	Can be used for any variable, not just form fields. Returns a Yes or No result that you use to determine further processing.	When used with a form field, runs after the data is submitted. Must be used each time a variable needs to be validated. Provides some data type checks not available in forms validation techniques.	None
`cfparam` tag	Can be used for any variable, not just form fields. The tag can set a default value in addition to validating data.	When used with a form field, the tag runs after the data is submitted. You respond to validation failures using error-handling code.	None
`cfargument` tag	Used for arguments to functions written using the `cffunction` tag.	Runs when the function is called on the server. You respond to validation failures using error-handling code.	None