Reputation: 12619
CFForm vs Form in Coldfusion
I have been using plain forms and input fields in coldfusion for some time now but recently discovered that cfinput tags will automagically prevent some xss attacks for me. This has made me wonder, if there is any disadvantages to using cffrom and cfinput over normal form and input tags in coldfusion.
The only disadvantage I have found in the short time looking into it is that it adds 2 external style sheets and 1 script tag to the page.
so in short:
What are the advantages and disadvantages of using CFFORM over FORM in coldfusion?
Upvotes: 6
Views: 8009
Answers (4)
Reputation: 10473
I have been using ColdFusion for almost 14 years. The reason that CF is such a kick-ass product is that empowers new users to get a lot of work done quickly with not much understanding and it enables rocket scientists to build really powerful and secure applications quickly too.
CFFFORM, CFINPUT, CFLAYOUT, CFPOD are tags that are created for new users. Basically, they are training wheels. If you're new to web development, you should give this tags a try. As you gain experience, you'll want to drop these tags and move onto other techniques to create more robust applications.
There's nothing wrong with these tags, just like there's nothing wrong with training wheels. You just need to know that there's an appropriate tool for each job. Actually, there are lots of appropriate tools for each job.
Currently, I am developing a ColdFusion 9 / jQuery / SQL Server intranet that builds external web sites. I am doing it without using a single form tag. And, I am doing it completely in CFSCRIPT. Whoa!
Using jQuery, you don't need forms. You just need inputs. Here's how I create an input in CFSCRIPT.
<cfscript>
Options = "";
for (i = 1; i lte 10; i++) {
Options = Options & wrapOption("Some choice #i# ", i);
}
SelectBox = wrapSelect(Options, "MySelectID");
writeOutput(SelectBox);
SecretDiv = wrapDiv("", "", "MyDivID");
writeOutput(SecretDiv);
</cfscript>
The user defined functions to create the HTML are in my UDF_Library.cfm file:
// WRAP SELECT
function wrapSelect(SelectContent, Class, ID) {
LOCAL.SelectContent = ARGUMENTS.SelectContent;
LOCAL.Properties = "";
// CLASS
if (isDefined("ARGUMENTS.Class")) {
LOCAL.Properties = LOCAL.Properties & " class='#ARGUMENTS.Class#'";
}
// ID
if (isDefined("ARGUMENTS.ID")) {
LOCAL.Properties = LOCAL.Properties & " id='#ARGUMENTS.ID#'";
}
LOCAL.Item = "<select #LOCAL.Properties#>#LOCAL.SelectContent#</select>";
return LOCAL.Item;
}
// WRAP OPTION
function wrapOption(Content, Value, Selected) {
LOCAL.Content = ARGUMENTS.Content;
LOCAL.Properties = " value='#ARGUMENTS.Value#'";
// SELECTED
if (isDefined("ARGUMENTS.Selected") and (ARGUMENTS.Selected eq "selected")) {
LOCAL.Properties = LOCAL.Properties & " selected";
}
LOCAL.Item = "<option #LOCAL.Properties#>#LOCAL.Content#</option>";
return LOCAL.Item;
}
// CREATE DIV
function wrapDiv(Content, Class, ID) {
LOCAL.Properties = "";
// CLASS
if (isDefined("ARGUMENTS.Class")) {
LOCAL.Properties = LOCAL.Properties & " class='#ARGUMENTS.Class#'";
}
// ID
if (isDefined("ARGUMENTS.ID")) {
LOCAL.Properties = LOCAL.Properties & " id='#ARGUMENTS.ID#'";
}
LOCAL.Item = "<div #LOCAL.Properties#>#ARGUMENTS.Content#</div>";
return LOCAL.Item;
}
I use jQuery and refer to every element by its class or ID. If you do that, you can submit the data in each element to an ajax call like this:
<script type="text/javascript">
$(document).ready(function() {
$("#MySelectID").change(function() {
MyID = $("#MySelectID").val();
$("#MySecretDiv").load("CoolQuery.cfm?UserID"+MyID);
});
});
</script>
The point is, that as long as you are using CFFORM and CFINPUT, you can't do all the really powerful jQuery stuff. But, you need those tags to get started.
2012 is going to be a kick-ass year for the power of ColdFusion and jQuery!!!
Good luck!
Upvotes: 4
Reputation: 4475
I haven't used ColdFusion's CFInput in a long while. I've been using the jQuery Validation plugin so that I can perform validation on other things like:
- is the element visible? (ie, hide a section if not essential, but eliminate the requirement if not shown.)
- is a checkbox checked? (ie, you checked "other", now fill-in-the-blank is required.)
- is it a valid date/time value? (ie, I additionally use the DateJS library to assist in this)
- perform ajax query to determine if username is unique
- is the URL entered valid?
- compare password1 with password2
- custom rules based on a combination of things
Most validation rules can be added inline to the class parameter:
<input type="text" name="Name" class="required">
<input type="text" name="Birthdate" class="required date">
<input type="text" name="Email" class="required email">
<input type="text" name="Website" class="url">
I prefer to use jQuery because sometimes I need to add this same logic to a non-ColdFusion based form and I don't have to worry about the fact the CFInput is a ColdFusion-Only tag.
Here's a link with more information regarding the jQuery Validation library:
http://bassistance.de/jquery-plugins/jquery-plugin-validation/
Upvotes: 1
Reputation: 32885
I have a love-hate relationship with <cfform> & <cfinput>.
To have the same xss protection that CFFORM provides, just wrap htmlEditFormat() around value="" in regular like so:
<input name="x" value="#htmlEditFormat(x)#">
For even better XSS protection, use OWASP Enterprise Security API (.jar included in one of the CF9 latest hotfixes)
I love how I can do ajaxified form easily without writing JS, but I hate how it generates lots of ugly JavaScript and loads up lots of JS and css files for something rather simple. So I've decided to use cfform for internal sites only and not for public facing site (performance issue).
Other then the ajax features, the checked attribute that accepts CF boolean and populating select with query object are features that cfinput and cfselect provide which can be quite useful.
Use the right tool for the right job. If you found the feature of <cfform> useful, use it. Just know its limitations, and decide for yourself.
Upvotes: 5
Reputation: 3382
I prefer to write my own JS around my forms. I started out with cfform back in the day, but eventually wanted to do more robust things (validations, etc) than cfform was able to handle. That forced me to learn JS, and I've been very happy writing my own JS since.
So I guess I'd say one big drawback is that you're restricted to what cfform can handle. Depending on your situation, that might be fine.
Another drawback that I ran into a long time ago (which to be fair, may have been addressed since), is that the JS generated by cfform would conflict or interfere with my hand-written JS.
It'll certainly come down to preference. It's neither "right" nor "wrong" to use cfform or regular forms. For me, I prefer to be able to do whatever manipulation I need to do manually, as there are no restrictions/limitations.
Upvotes: 10
Related Questions
- How to use a <form> tag within a coldfusion <cfscript>
- Coldfusion: form.fieldname and session.fieldname
- How can I pass variables from 2 separate forms on one cfm to another cfm in coldfusion?
- Process ColdFusion Form with Component
- How do I process a form using a CFC in ColdFusion 11?
- ColdFusion submitting a form
- Where to put a cfquery in a Coldfusion Form
- Allowing CFFILE and CFFTP to work within the same CFFORM
- CFDIV, and CFFORM not working right inside a CFWINDOW
- <cfform> inside cfscript component