Validating form data using hidden fields

ColdFusion lets you specify form field validation on the server by using hidden form fields whose names consist of the name of the field to validate and the validation type. Hidden field validation uses the same underlying techniques and algorithms as onServer validation of ColdFusion form fields.

Hidden field validation has the following features:

  • You can use it with standard HTML tags. For example, you can validate data in an HTML input tag. This feature was useful in releases previous to ColdFusion MX 7, because the cfinput tag did not support all HTML type attributes.

  • It is backward-compatible with validation previous to ColdFusion MX 7, when hidden field validation was the only way to do validation on the server.

  • Because you use a separate tag for each validation type, if you specify multiple validation rules for a field, you can specify a different error message for each rule.

  • You can use hidden field validation with any form field type that submits a data value, not input, cfinput, textarea, or cftextarea.

Specifying hidden form field validation

To specify hidden field validation, you do the following:

  • Create one HTML input element or CFML cfinput tag of type="hidden" for each validation rule.

  • Specify the name of the field to validate as the first part of the hidden field name.

  • Specify the type of validation, starting with an underscore character (_), as the second part of the hidden field name.

  • You can specify multiple rules for each form data field. For example, to specify range and required validation for a field named myValue, create hidden myValue_cfformrange and myValue_cfformrequired fields.

  • For most types of validation, specify the error message as the field value attribute.

  • For range, maximum length, or regular expression validation, specify the rule, such as the maximum length, in the value attribute. For these validation types, you cannot specify a custom error message.

The following example uses hidden fields to require data in a date field and ensure that the field contains a date. It consists only of HTML tags.

<input type="text" name="StartDate" size="16" maxlength="16"><br> 
<input type="hidden" name="StartDate_required"  
        value="You must enter a start date."> 
<input type="hidden" name="StartDate_date"  
    value="Please enter a valid date as the start date.">

Use the following suffixes at the end of hidden form field names to specify the validation type. The type identifier always starts with an underscore. Several validation rules have two names you can use. The names that do not start with “_cf” were used in earlier releases and are retained for backward compatibility. For consistency and clarity, Adobe recommends using the names that start with “_cf” in new forms.

Field name suffix

Verifies

_integer, _cfforminteger

An integer of the range -2,147,483,648 — 2,147,483,647. Treats the initial characters “$ ¤ ¥ £ +” as valid input, but removes them from the number.

_cfformnumeric

Any numeric value. Treats the initial characters “$ ¤ ¥ £ +”as valid input, but does NOT remove them from the number.

_float, _cfformfloat

Any value (including an integer) that can be represented as a floating point number with up to 12 significant digits. Treats the initial characters “$ ¤ ¥ £ +” as valid input, but removes them from the number.

Converts input data to a real number; for example a dump of an integer value on the action page includes a decimal point followed by a 0.

_range, _cfformrange

A numeric value within boundaries specified by the value attribute. Specify the range in the value attribute using the format “min=minvalue max=maxvalue.” You cannot specify a custom error message for this validation.

_date, _cfformdate

A date in any format that ColdFusion can understand; converts the input to ODBC date format. Allows entry of a time part, but removes it from the ODBC value.

_cfformusdate

A date in the form m/d/y, m-d-y , or m.d.y, The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Does not convert the string to an ODBC value and does not allow a time part.

_eurodate, _cfformeurodate

A date in the form d/m/y, d-m-y, or d.m.y. The m and d format can be 1 or 2 digits; y can be 2 or 4 digits. Converts the input to ODBC date format. Allows entry of a time part, but removes it from the ODBC value.

_time, _cfformtime

A time. Can be in 12-hour or 24-hour clock format, and can include seconds in the form hh:mm:ss or a case-independent am or pm indicator.

Converts the input to ODBC time format. Allows entry of a date part, but removes it from the ODBC value.

_cfformcreditcard

After stripping blanks and dashes, a number that conforms to the mod10 algorithm. Number must have 13-16 digits.

_cfformSSN, _cfformsocial_security_number

A nine-digit Social Security number. Can be of the form xxx-xx-xxxx or xxx xx xxxx.

_cfformtelephone

Standard U.S. telephone formats. Does not support international telephone numbers.

Allows area codes with or without parentheses, and hyphens (-), spaces, periods, or no separators between standard number groups. Can be preceded by a 1 long-distance designator, and can end with an up-to-5 digit extension, optionally starting with x. The area code and exchange must begin with a digit in the range 1 - 9.

_cfformzipcode

A 5-digit or 9-digit U.S. ZIP code. In 9-digit codes, precede the final four digits by a hyphen (-) or space.

_cfformemail

A valid e-mail address. Valid address characters are a-zA-Z0-9_- and the period and separator. There must be a single at sign (@) and the text after the @ character must include a period, as in my_address@MyCo.com or b-b.jones27@hisco.co.uk.

_cfformURL

A valid URL. Must start with http:\\, https:\, ftp:\, file:\, mailto:, or news:. Can include, as appropriate, user name and password designators and query strings. The main part of the address can only have the characters A-Za-z0-9 and -.

_cfformboolean

A value that can be treated as a Boolean: Yes, No, True, False, 0, 1.

_cfformUUID

A universally unique identifier (UUID) that follows the ColdFusion format, xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx, where x is a hexadecimal number.

_cfformGUID

A unique identifier that follows the Microsoft/DCE format, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x is a hexadecimal number.

_cfformnoblanks

The field must not include blanks. ColdFusion uses this validation only if you also specify a _required hidden field.

_cfformmaxlength

The number of characters must not exceed the number specified by the tag value attribute.

_cfformregex, _cfformregular_expression

The data must match a JavaScript regular expression specified by the tag value attribute.

_required, _cfformrequired

Data must be entered or selected in the form field.

Hidden form field considerations

Consider the following rules and recommendations when determining whether and how to use hidden form field validation:

  • Use hidden field validation if you want to validate data from standard HTML input tags. The cfinput and cftextarea tags include a validateAt attribute that provides a simpler method for specifying server-side validation.

  • Consider using hidden field validation with the cfinput and cftextarea tags if you specify multiple validation rules for a single field and want to provide a separate error message for each validation.

  • Do not use the suffixes listed in the table as field names.

  • Adding a validation rule to a field does not make it a required field. Add a separate _required hidden field to ensure user entry.

Hidden form field example

The following procedure creates a simple form for entering a start date and a salary. It uses hidden fields to ensure that you enter data and that the data is in the right format.

This example uses a self-submitting form; the same ColdFusion page is both the form page and its action page. The page uses an IsDefined function to check that form data has been submitted. This way, the pages does not show any results until you submit the input. The form uses HTML tags only; you can substitute these tags with the CFML equivalents.

<html> 
<head> 
    <title>Simple Data Form</title> 
</head> 
<body> 
<h2>Simple Data Form</h2> 
 
<!--- Form part. ---> 
<form action="datatest.cfm" method="Post"> 
    <input type="hidden"  
        name="StartDate_cfformrequired"  
        value="You must enter a start date."> 
    <input type="hidden"  
        name="StartDate_cfformdate"  
        value="Enter a valid date as the start date."> 
    <input type="hidden"  
        name="Salary_cfformrequired"  
        value="You must enter a salary."> 
    <input type="hidden"  
        name="Salary_cfformfloat"  
        value="The salary must be a number."> 
    Start Date:  
    <input type="text"  
        name="StartDate" size="16"  
        maxlength="16"><br> 
    Salary:  
    <input type="text"  
        name="Salary"  
        size="10"  
        maxlength="10"><br> 
    <input type="reset"  
        name="ResetForm"  
        value="Clear Form"> 
    <input type="submit"  
        name="SubmitForm"  
        value="Insert Data"> 
</form> 
<br> 
 
<!--- Action part. ---> 
<cfif isdefined("Form.StartDate")> 
    <cfoutput> 
        Start Date is: #DateFormat(Form.StartDate)#<br> 
        Salary is: #DollarFormat(Form.Salary)# 
    </cfoutput> 
</cfif> 
</html>

When the user submits this form, ColdFusion scans the form fields to find any validation rules. It then uses the rules to analyze the user’s input. If any of the input rules are violated, ColdFusion displays an error page with the error message that you specified in the hidden field’s value attribute. The user must go back to the form, correct the problem, and resubmit the form. ColdFusion does not accept form submission until the user enters the entire form correctly.

Because numeric values often contain commas and currency symbols, ColdFusion automatically deletes these characters from fields with _cfforminteger and _cfformfloat rules before it validates the form field and passes the data to the form's action page. ColdFusion does not delete these characters from fields with _cfformnumeric rules.

Reviewing the code

The following table describes the code and its function:

Code

Description

<form action="datatest.cfm" method="Post">

Gathers the information from this form sends it to the dataform.cfm page (this page) using the Post method.

<input type="hidden" name="StartDate_cfformrequired" value="You must enter a start date."> 
<input type="hidden" name="StartDate_cfformdate" value="Enter a valid date as the start date.">

Requires input into the StartDate input field. If there is no input, displays the error information “You must enter a start date.” Requires the input to be in a valid date format. If the input is not valid, displays the error information “Enter a valid date as the start date.”

<input type="hidden" name="Salary_cfformrequired" value="You must enter a salary."> 
<input type="hidden" name="Salary_cfformfloat" value="The salary must be a number.">

Requires input into the Salary input field. If there is no input, displays the error information “You must enter a salary.” Requires the input to be in a valid number. If it is not valid, displays the error information “The salary must be a number.”

Start Date:  
<input type="text" name="StartDate" size="16" maxlength="16"><br>

Creates a text box called StartDate in which users can enter their starting date. Makes it 16-characters wide.

Salary:  
<input type="text" name="Salary" size="10" maxlength="10"><br>

Creates a text box called Salary in which users can enter their salary. Makes it ten-characters wide.

<cfif isdefined("Form.StartDate")> 
     <cfoutput> 
    Start Date is: #DateFormat(Form.StartDate)#<br> 
    Salary is: #DollarFormat(Form.Salary)# 
    </cfoutput> 
</cfif>

Displays the values of the StartDate and Salary form fields only if they are defined. They are not defined until you submit the form, so they do not appear on the initial form. Uses the DateFormat function to display the start date in the default date format. Uses the DollarFormat function to display the salary with a dollar sign and commas.