Security considerations

Although form-specific validation techniques provide good methods for preventing users from submitting invalid or badly formatted data, they cannot prevent users from submitting maliciously formatted data from HTML forms. Malicious users can circumvent validation techniques that require validation on the browser using JavaScript or submission of validation rules in hidden fields. If you must use a technique for preventing malicious data submissions, consider using the following techniques:

• The onSubmit or OnBlur validation in Flash forms, which use Flash built-in validation.

• The IsValid function and the cfparam, and cfargument tags, which let you test variables and arguments in your CFML code.

• The cfqueryparam tag in cfquery tags, which can help protect databases from malicious query input (see Enhancing security with cfqueryparam.

• The script protection option, which helps prevent cross-site scripting attacks. You can set this option on the ColdFusion Administrator Server Settings > Settings page or by using the Application.cfc This.scriptProtect variable or the cfapplication tag scriptprotect attribute. For more information on cross-site scripting attacks and this option, see the cfapplication tag page in the CFML Reference.

 community help (adobe.com)