1

I've just experienced a behaviour that defies any logic and could potentially lead to serious issues and was wondering if it was a bug or if the behaviour was itended and what are the best practices to circumvent the issue? If it's a bug, is there a patch?

Here's the two wierd behaviours that when put together are a threat to any system's data integrity.

  1. int('1 2') -> 41276
  2. isValid('numeric', '1 2') -> true

Why? Well let's see...

<cffunction name="deleteSomething" access="public" returntype="void">
    <cfargument name="somethingId" type="numeric" required="yes">

    <cfquery datasource="#dsn()#">
        DELETE
        FROM Something
        WHERE id = <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.somethingId#">;   
    </cfquery>

</cffunction>


<cfset deleteSomething('1 2')>

Here, the type="numeric" arguments validation (which perhaps is based on the same algorithm as isValid?) doesn't throw with '1 2'. Even worse, cfqueryparam cfsqltype="cf_sql_integer" seems to be using int to convert the value which will end up being 41276.

In other words, deleteSomething('1 2') will delete the entity with id 41276 instead of throwing an exception since the value 1 2 is obviously not numeric.

Now, the only fix I thought of is to perform additionnal argument validation using isValid('integer', ... or a regular expression, but that's a real pain and besides, I never understood why they haven't implemented type="integer"?

Obviously, I also always made the false assumption that cfqueryparam type="cf_sql_integer" would validate that the value passed is a valid integer.

EDIT:

It seems that even isvalid('integer', ... is also not reliable as we can see in
Why isvalid("integer","1,5") = YES?

EDIT2:

I know that I could add additionnal arguments validation for every expected integer argument in every function, however that would require to fix a huge code base in my case and it's also very error-prone. It also makes the built-in argument validation completely useless in this case.

I would rather prefer a solution where I could create and apply an unofficial patch. Is that a realistic option? If so I would like to be pointed out in the right direction.

EDIT3: It doesn't solves all the problems, but CF11 added support for a strictNumberValidation application level configuration.

"Starting from ColdFusion 11, this function evaluates on a more strict basis. Setting this value to false makes the isValid function to behave in the older way. This setting effects cfargument, cfparam and cfform tags wherever integer & numeric validation is used. Based on this setting, the validation reflects in those tags as well."

4

2 回答 2

2

这是另一个问题的主题变体。查看此代码(或在cflive.net上运行):

<cfscript>
s = "1 2";
i = int(s);
v = isValid("numeric", s);
d = createOdbcDate(s);
writeDump([s,i,v,d]);
</cfscript>

s41276调用时转换为int(),并将其用作 的输入时createOdbcDate(),我们得到:

January, 02 2013 00:00:00 +0000

因此"1 2"被解释为"m d",隐含的年份是当年。

这是完全愚蠢的。但是你去。

于 2013-10-02T15:52:29.617 回答
0

您可以使用正则表达式来找出给定表单字段中是否有任何非数字字符:

reFind( "[^\d-]", "1 2")

这将匹配任何不是数字的字符,而不是-

如果只想检查正数,可以使用

reFind( "[^\d]", "1 2")    

如果返回true,则您没有整数。

于 2013-10-02T18:02:22.213 回答