You can put a function in the null attribute of the cfqueryparam tag to check for those characters. The function returns the numeric position of one of these characters if it exists. A value of 0 (not found) is treated as boolean false by ColdFusion and will result in the variable passed being used. Any other value, which will always be a positive integer, will be treated as boolean true and the value of the inserted field will be null rather than the value of the variable passed. null="#refind(...)#"
On Thu, Mar 12, 2015 at 9:15 PM, Andy Mann <[email protected]> wrote: > > I use regex on cfinput tags because some of allowed characters on some > fields are ' . , % # etc. > > The problem is that on the posted to page when I use cfqueryparam there is > not option for regex and I do want to control which characters are allowed. > never * < > ( ) etc. > > My sites have (i hope) very tight security and reside within an iframe and > the pages with any queries check to see if the correct page is posting to > them and also some other security checks but I worry about some techijerk > rewriting the page in their browser and submitting. > > Client server is cf9 and that they should upgrade is a whole different > matter. > > always paranoid as it should be. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/regex/message.cfm/messageid:1259 Subscription: http://www.houseoffusion.com/groups/regex/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/regex/unsubscribe.cfm
