Server side validation ColdFusion 9?

Question

I have one question about my server side validation. I'm passing the arguments in my cffunction. Some of these arguments are FROM values populated by the user and some of them are hidden values that I have populated from data base. Hidden values will use the current values for specific fields on the form. So my question is if I pass new value in my cffunction and my hidden value then compare those two, is that enough for my server side validation? I'm wondering if there is any scenario where user can work around that validation? Or maybe better option is to create the cfquery that will pull that record directly from DB on server side instead of creating hidden field on the client side and then passing the value as an argument? Here is example of my question above:

<select name="vehicles" id="vehicles">
   <input type="hidden" name="curVehicle" id="curVehicle" value="#oldVce.VehcileNum#" readonly>
   <option value="">Pick the vehicle</option>
   <cfloop query="myVehicles">
      <option value="#vehicleNum#">#vehicleName#</option>
   </cfloop>
</select>

Server side:

<cffunction name="InsertUpdateVehicles" access="remote" returnformat="JSON" output="true">
   <!--- current value from drop down menu --->
   <cfargument name="newVehicle" type="string" required="yes">
   <!--- value from hidden field curVehicle ---> 
   <cfargument name="oldVehicle" type="string" required="yes">

   <cfset myResults = structNew()>

   <cfif trim(arguments.newVehicle) NEQ trim(arguments.oldVehicle)>
       <!--- Run Insert/Update --->
   </cfif>

   <cfreturn myResults>
</cffunction>

If anyone can help or provide an example if there is some way to work around this validation please let me know. Thanks in advance.

_Anything_ presented on the client side can be manipulated. Even hidden inputs or read-only inputs can be modified using a browser's developer tools. Never trust anything coming in from a web client. — Carl Von Stetten, May 04 '17 at 13:55
Yes, client info is always suspect. However, you left out an important detail: what exactly is your validation trying to prevent, i.e. What is the result if the value *is* changed? That is what should dictate the correct approach. — Leigh, May 04 '17 at 23:00

score 2 · Answer 1 · edited May 04 '17 at 14:21

2

if you want server side validation, #oldVce.VehcileNum# should be grabbed in your function and checked there. OR you can use Hash function to encrypt your hidden field.

edited May 04 '17 at 14:21

Matt Busche

14,216
5
36
61

answered May 04 '17 at 13:54

tech2017

1,806
1
13
15

So the answer is to pull the record on the server side inside of my cffunction directly form Database. – espresso_coffee May 04 '17 at 13:56
1

like @Carl Von Stetten said, client side data can be manipulated. yes pull it from DB in your function to check against newVehicle – tech2017 May 04 '17 at 13:59
Or hash it as per this answer. – Dan Bracuk May 04 '17 at 16:33

Server side validation ColdFusion 9?

1 Answers1