0

I'm using the BlueDragon's cfform validation:

<cfinput validateat="onServer" validate="regex" pattern="^[a-zA-Z0-9 ]+$"  name="COMPANYDBA" />

But this pattern isn't producing the right result. Something is up with the dollar sign: ^[a-zA-Z0-9 ]+$

Expected result: no special characters

Actual result: no special characters except it's allowing the $ sign

Why in the world would this allow a dollar sign in the string?

Peter Boughton
  • 110,170
  • 32
  • 120
  • 176
Induster
  • 733
  • 1
  • 6
  • 15
  • By the way, I have tried explicitly excluding the $ sign but not sure if it's 100% correct. I shouldn't have to do this, but it was worth a shot: ^[a-zA-Z0-9 ^\$]+$ – Induster Aug 21 '12 at 18:35
  • Yeah, that expression does not do what you think it does: http://regex101.com/r/iV5vP1 – Firas Dib Aug 21 '12 at 18:38
  • I find it highly unlikely that CF would use a different regex engine for cfinput as elsewhere, and `^[a-zA-Z0-9 ]+$` will _not_ match if a `$` is in the input. What precise version of CF are you using? – Peter Boughton Aug 21 '12 at 22:13
  • Have just tested with CF10 and (after fixing the sample code) the expression works fine - and complains if $ is included. – Peter Boughton Aug 21 '12 at 22:17
  • According to the New Atlanta site, BlueDragon 7.1 was designed to be compatible with Cold Fusion MX 7.0.2. It goes on to say "BlueDragon 7.1 is generally not compatible with new features introduced in ColdFusion 8.0 (CF8), with exceptions noted later in this document." – Induster Aug 22 '12 at 23:49
  • Ok, that changes things completely! BlueDragon != ColdFusion. Also, if you're specifically using BlueDragon.NET (as opposed to the Java edition), then the regex implementation will certainly be different (because Apache ORO is a Java library, so at best has been ported to .NET, but I wouldn't be surprised if it wasn't the same.) – Peter Boughton Aug 23 '12 at 00:02
  • Despite that, I still wouldn't expect _any_ regex engine to allow a dollar sign given the simple pattern of `^[a-zA-Z0-9 ]+$`, so the issue is likely something else - my suspicion would be that the pattern attribute is being ignored completely. Are there any BD7 docs that explicitly state whether it is supported? – Peter Boughton Aug 23 '12 at 00:03

2 Answers2

0

Try using \A and \Z instead of ^ and $ respectively.

Firas Dib
  • 2,743
  • 19
  • 38
  • Thanks for the suggestion. Here is my test result: Data entered in the COMPANYDBA field must match the regular expression \A[a-zA-Z0-9 ]\z (you entered 'Company X'). – Induster Aug 21 '12 at 19:04
  • You left out the `+` after the character set. – Jim Davis Aug 21 '12 at 19:27
  • Still no go with: Data entered in the COMPANYDBA field must match the regular expression \A[a-zA-Z0-9 ]+\z (you entered 'asdfasdf'). – Induster Aug 21 '12 at 21:35
  • The `\A` and `\z` constructs aren't supported by the regex engine CF uses (Apache ORO). This isn't the issue though, `^` and `$` are supported and work fine. – Peter Boughton Aug 21 '12 at 22:22
0

An old question, but it's listed as unanswered, so here's an (overly-long) answer to stop that being the case (as soon as someone upvotes it, anyhow).

It's unlikely the source for cfform has changed significantly between BD7 and OpenBD -- because pretty much nobody recommends using cfform these days -- so here's the OBD code which generates the HTML:

http://websvn.openbd.org/websvn/filedetails.php?repname=OpenBD&path=%2Ftrunk%2Fsrc%2Fcom%2Fnaryx%2Ftagfusion%2Fcfm%2Fcfform%2FcfAbstractFormTag.java

What this code tells us is that, with the attributes provided, a hidden form field named with the suffix _CFFORMREGEX is output with the pattern to test.
(Which of course is not real server-side validation, despite whatvalidateat="onserver" suggests, and thus is yet another reason not to use cfform).

After submission, that form field is picked up and used via the cfFormData.java file:

http://websvn.openbd.org/websvn/filedetails.php?repname=OpenBD&path=%2Ftrunk%2Fsrc%2Fcom%2Fnaryx%2Ftagfusion%2Fcfm%2Fengine%2FcfFormData.java

Which if you follow it through eventually runs the pattern through com.nary.util.string.regexMatches which uses Apache ORO to check it matches:

http://websvn.openbd.org/websvn/filedetails.php?repname=OpenBD&path=%2Ftrunk%2Fsrc%2Fcom%2Fnary%2Futil%2Fstring.java

The use of SINGLELINE_MASK means the ^ and $ will perform their usual start/end of content match (not start/end of lines) and that . includes newlines.

With all that, we can categorically state that, if the pattern provided is ^[a-zA-Z0-9 ]+$ then $ will not be accepted, so there must be more to the original issue than has been revealed.

Of course, rather than worrying about all that, the most appropriate solution is: stop using cfform.

There are plenty of superior options for doing proper form validation, see Charlie Arehart's list: cf411.com/form

Peter Boughton
  • 110,170
  • 32
  • 120
  • 176