Solved

ColdFusion form: using INPUT instead of CFINPUT

Posted on 2014-04-17
4
939 Views
Last Modified: 2014-04-18
ColdFusion 9
MS SQL Server 2012

Hi friends.

I am trying to get a form to work using INPUT rather than CFINPUT. Why? I want to avoid using the scripts in CFIDE; also, I am using a pure CSS3 method of client-side form validation that recognizes the INPUT tag but, for some reason, gets buggy when I use CFINPUT.

When I use CFINPUT, then my variables display in the form field. See attached image.

Is there any way I can use INPUT, rather than CFINPUT? I attach code for file EditNews.cfm. Thank you for your help as always.

Eric

<!-----
Name:        editNews.cfm
Author:      Eric Bourland / gdemaria / _agx_
Description: this interface allows a user to create and edit database records that contain news items
Created:     March 2011
Edited: April 2014
ColdFusion Version 9
MS SQL Server 2005
----->


 <!--- Set default value for newsID in scope URL --->
<cfparam name="url.newsID" default="">

<!--- Define newsID in scope FORM, then set form.newsID equal to the newsID passed in the URL: for use later in the application --->
<cfparam name="form.newsID" default="#url.newsID#">

<cfparam name="form.newsTitle" default="">
<cfparam name="form.newsContent" default="">
<cfparam name="form.newsAuthor" default="">
<cfparam name="newsDateCreated" default="">
<cfparam name="form.NewsDate" default="">
<cfparam name="form.newsExcerpt" default="">

<!--- in user-editable fields, set up protection against XSS  --->
    <cfloop collection="#FORM#" item="field">
      <cfset FORM[ field ] = ReReplaceNoCase (FORM[ field ], "<script.*?>.*?</script>", "", "all")>
    </cfloop>

<cfquery datasource="#application.datasource#" name="editNews">
SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
FROM #REQUEST.NewsTable#
WHERE newsID = <cfqueryparam value="#val(url.newsID)#" cfsqltype="cf_sql_integer">
</cfquery>

		   
<!---- begin CFTRY; catch errors ---->
<cftry>  
 
<!---- populate cftry with error message ---->
<cfset variables.error = ""> 
 
<!--- begin form.doSave --->

<cfif IsDefined("form.doSave")>

<!--- when an newsID Exists, the action is UPDATE --->
   
<cfif val(form.newsID)>
                
            <cfquery name="UpdateRecord" datasource="#application.datasource#">
				  UPDATE #REQUEST.NewsTable#
				  SET
           newsTitle = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(Left(form.newsTitle,255))#">, 
           NewsDate = <cfqueryparam cfsqltype="cf_sql_date"  value="#createODBCdate(Trim(form.NewsDate))#">,
           newsAuthor = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(Left(form.newsAuthor,128))#">,
           newsContent = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(form.newsContent)#">,
           newsExcerpt = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(form.newsExcerpt)#">
           		  WHERE newsID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.newsID)#">
			</cfquery>


<!--- CFELSE: if newsID does not exist, then create new record --->
				<cfelse> 
                
                
<!--- query to insert new user record into #REQUEST.NewsTable# --->
			<cfquery name="InsertRecord" datasource="#application.datasource#" result="newPage">
				 INSERT INTO #REQUEST.NewsTable#
     					(
                        newsTitle,
			            NewsDate,
                        newsAuthor,
                        newsContent,
                        newsExcerpt,
                        newsDateCreated
                        )
			     VALUES(
                    <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(Left(form.newsTitle,255))#">,
                    <cfqueryparam cfsqltype="cf_sql_date"  value="#createODBCdate(Trim(form.NewsDate))#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(Left(form.newsAuthor,128))#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(form.newsContent)#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar"  value="#Trim(form.newsExcerpt)#">,
                    <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
                         )         
					</cfquery>
                    
                    
<!--- use the result attribute value (newPage) to set form field value --->
      <cfset form.newsID = newPage.IDENTITYCOL>
              
<!--- END queries to update or insert database records ---> 

<!--- END cfif val(form.newsID) -- if a topic needed to be updated or added, then it was done --->
					    </cfif>  


<!--- done? relocate --->

<cfif val(url.NewsID)>
<cflocation url="/admin/editNews.cfm?NewsID=#url.NewsID#" addtoken="yes">

<cfelse>                     
<cflocation url="/admin/manageNews.cfm" addtoken="no">
				     
</cfif>
             
<!--- END: Save action --->

<!--- END form.doSave --->
                    </cfif>
       
<!--- END queries to update or insert database records ---> 
        

<!--- this CFCATCH will trap errors --->
            <cfcatch type="Any">
                 <cfset variables.error = cfcatch.message>
            </cfcatch>

<!--- END CFTRY --->  
			</cftry>
       
       
<!--- fetch the data from the database only when there are no errors; let the form variables pass back from the data table into the form to display ---->
 
<cfif len(variables.error) eq 0>
    
<!--- get data from table #REQUEST.NewsTable# and convert the data into form variables --->
			  <cfquery name="getPageDetails" datasource="#application.datasource#">
			    SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
                FROM #REQUEST.NewsTable#
                WHERE newsID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.newsID)#">
 			  </cfquery>

  			<cfloop index="aCol" list="#getPageDetails.columnList#">
			       <cfset "form.#aCol#" = getPageDetails[aCol][getPageDetails.currentRow]>
			  </cfloop>
    
</cfif>



<!----- if record already exists then update record; otherwise, add new record ----->
				<cfif val(url.newsID)>
					  <cfset FormTitle="Update News">
					  <cfset ButtonText="Update">
				<cfelse>
						<cfset FormTitle="Create News Record">
						<cfset ButtonText="Create News Record">

				</cfif>

       
       
       <!--- BEGIN HTML / CSS PAGE HEADER --->
<cfinclude template="/admin/admin_header.cfm">

<cfinclude template="/admin/adminNav.cfm">




<!--- if there an error, display error in readable form --->

<cfif len(variables.error)> 
	  <cfoutput>
	    <div class="errorbox">#variables.error#</div>
	    </cfoutput>
   


             <div class="center">
               <input type=button value="Go Back" onClick="history.go(-1)">
             </div>
             
             <cfabort>
</cfif>

<cfparam name="url.cftoken" default="">

<cfif len(url.cftoken)> 

<div class="center"><button class="medium green"><span class="icon white medium" data-icon="C"></span> Update Succeeded. Good work.</button></div>

</cfif>

	<!--- Add or Update News Form begins here --->
	<cfform method="post" enctype="multipart/form-data" name="ebwebworkForm" class="ebwebworkForm">
                
 
 <!--- Embed newsID (PK) to assign a value to it --->
 <cfoutput>
<input type="hidden" name="newsID" value="#form.newsID#" />
 </cfoutput>

    <ul>
        <li>
<cfoutput>
<legend><h2>#FormTitle#</h2></legend>
</cfoutput>

     <img src="https://lh6.googleusercontent.com/-rXrwzErpu7Q/U06TdnsBKfI/AAAAAAAAAoA/5QepC-sHWpc/s800/red_asterisk.png" alt="Required Field" width="16" height="16"> Required
      </li>

<li>
  <label for="newsTitle"><h3>News Title:</h3></label>
  	 <input name="newsTitle" placeholder="Enter News Title" value="#form.newsTitle#" tabindex="1" pattern="^[A-Za-z0-9_]{1,15}$" size="70" type="text" autofocus="true" required="yes" />
        <span class="form_hint">Enter News Title</span>         
</li>
        
        
 <li>
    
<label for="NewsDate"><h3>News Date:</h3></label>
<input name="NewsDate" placeholder="Enter Date in mm/dd/yyyy format" value="#DateFormat(NewsDate, "mm/dd/yyyy")#" tabindex="2" pattern="(0[1-9]|1[0-9]|2[0-9]|3[01]).(0[1-9]|1[012]).[0-9]{4}" size="70" required="yes" />
<span class="form_hint">Enter Date in mm/dd/yyyy format</span>
        
</li>
        
        

<li>

<label for="newsAuthor"><h3>Author:</h3></label>
<input name="newsAuthor" placeholder="Enter Author Name" value="#form.newsAuthor#" tabindex="3" size="70" required="yes" />
<span class="form_hint">Enter Author Name</span>
        
</li>



            <p class="center">Use the TinyMCE Editing Interface to edit content:</p>


 <cfinclude template="/admin/TinyMCE.cfm">

<li>
<label for="newsContent"><h3>News Description:</h3></label>

    <span class="smallred">Enter and format content here.</span>
     
      <textarea name="newsContent"
      		wrap="virtual"  
      		tabindex="4"
      		width="600"
	  		height="300"
      		style="width:600px;height:300px;"
      		required="yes">

           <cfoutput>#form.newsContent#</cfoutput>
   
	  </textarea>
</li>

     
     <li>
     <label for="newsExcerpt"><h3>News Excerpt:</h3></label>
     <span class="smallred width600px">Display an excerpt to encourage readers. Just text, no images. There is no need to format this excerpt text. Your web site style sheet automatically applies formatting per the established style of your web site template.</span>
      <textarea name="newsExcerpt"
            wrap="virtual"  
            tabindex="5"
            width="600"
			height="100"
            style="width:600px;height:100px;"
            required="yes">

           <cfoutput>#form.newsExcerpt#</cfoutput>
   
	  </textarea>
</li>
    
    
    <li>
<div class="submitButton">
   <cfoutput>  
   <button name="doSave" type="submit" class="green">#ButtonText#</button>
   </cfoutput>
</div>  
</li>
    
    
    </ul>



</cfform>




<!--- Page footer --->
<cfinclude template="/admin/admin_footer.cfm">

Open in new window

cfinput.gif
0
Comment
Question by:Eric Bourland
4 Comments
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
Comment Utility
Eric,

You need to have <cfoutput> around the input tags :)

You don't need them with CFINPUT because its' a CF tag, but when it's not a CF tag, you need cfoutput
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
I don't know CFML at all but on an unrelated note I do want to recommend that you have the latest patch/security update for CF 9. It's really really easy for a malicious user to gain admin credentials and destroy everything you're working for..
0
 
LVL 15

Expert Comment

by:myselfrandhawa
Comment Utility
@Eric, I understand all you need is validation Portion, Give the jquery validation, you will never look back.

If you preety much worried about the form validation, i suggest you to purchase  a Custom Tag by EwSoftware:

http://www.electricsheep.co.nz/products/terraform/

Probably, it is not maintained any more i suppose, but the author can help you if you purchase the tag.,

well, as @gd suggested, cfinput is needed if you using input with validation.

Although the cfinput will call CFIDE directory to make the validation work.

Also, if you use cfinput and clicks on submit, it will show all the messages in single alert box for all the fields with whom you have provided the validation..

So best bet is you can either purchase the above listed custom tag or get the one for the following list:

http://www.riaforge.org/index.cfm?event=page.search#form%20validation

http://www.riaforge.org/index.cfm?event=page.search#validation
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
Comment Utility
=)

gdemaria -- yep, that was it.

Pasha -- yep, that is true. I am very conscientious about patching my CF 9 server, and I get a lot of support from my ISP, viviotech.net. I know that one day I will need to move up to CF 10, or the new CF 11 whenever it comes out and CF 9 is no longer supported. I keep track of patches and security concerns.

randhawa -- I hear what you are saying. I have spent a great deal of time over the past several days testing different client-side form validation methods. Most everything fails or is imperfect. The current solution I am using works ... mostly. It is not perfect and I am having some very weird trouble with some of the formatting of the form field hints -- "Enter date in mm/dd/yyy format", etc.

I will take a closer look at the two ideas you have suggested. I have invested so much time in this, that I am stubbornly determined to make it work.

Later I will think about server-side validation. Though, since I want to eschew CFIDE completely, I am not sure how this is going to work. This is something I will think about.

Thank you all for your ideas. I hope your day is going well. Onward....

Eric
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now