My first ColdFusion 9 scoop - disable server side validation

This post is more than 2 years old.

Ok, this isn't a huge deal - it's no ORM or script based CFCs - however, this is something that has bugged me a for a long time and I'm darn happy to see it fixed. As you know, or hopefully know, ColdFusion has long included a simple way to do server side form validation. This was achieved using form fields with certain names. While this feature was.... ok... it wasn't very graceful and no one I knew actually used the feature in production.

However - many people would get tripped up by it. If you accidentally named your form fields wrong, ColdFusion would validate them whether you wanted to or not. You would see a post on CF-Talk about it, folks would mention the feature, the dev would rename his form fields, and life would go on.

Then came Facebook. It's a small social networking site. Maybe you heard of it? One of the ways Facebook's API can integrate with applications is via HTTP POST... and guess what? Facebook uses one of those 'bad' form field names. I mentioned this in my article on Facebook and ColdFusion integration. There is a workaround, but, wouldn't it be nice if you could just turn the darn feature off? Now you can.

Simple add this new setting within your Application.cfc:


And that's it. I recommend this for all ColdFusion 9 sites. Even if you know to avoid the 'special' form field names, a new developer may not, and this simply makes the problem go away.

p.s. You can set it in the cfapplication tag as well, but we've all migrated to Application.cfc, right?

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Simon posted on 7/13/2009 at 5:41 PM

I would rather see it as a global setting in the administrator. If you want it you can enable it via your application.cfc

Comment 2 by Raymond Camden posted on 7/13/2009 at 5:42 PM

I'm more of a fan of application settings. To me, it makes it more obvious what options are enabled/disabled for my application.

Comment 3 by Martin posted on 3/1/2012 at 10:15 PM

Hi Ray

It seems as if my CF Box 9,0,1,274733 does not obey to this setting done in application.cfc as this (even after restart of server):

this.serverSideFormValidation = false;

Other settings like this, for exmaple this.datasource, are observed.

I have a form field APP_SA_PERMIT_DATE ... this gets swallowed. There is no APP_SA_PERMIT alone. If I rename it to german _DATUM, it appears in the form scope.

a bug? Any hints?

Thank you

Comment 4 by Raymond Camden posted on 3/1/2012 at 10:16 PM

By swollowed you mean the implicit form handling kicks in?

Comment 5 by Martin posted on 3/1/2012 at 10:30 PM

yes. it is not present in the form scope

In a service (i use fw/1) i have this code

var afld = ListToArray (arguments.Data.Fieldnames);
for (fld in afld) { }

the function's argument Data is provided with form ... despite fw/1, i want to protect against all ambiguities .. to i call this fw/+ service with { data = form }

I now checked the form scope without fw/1 service ... and to my surprise, it is there ... hmmmm

I will go and clear any of CF's caches I can find ...