Earlier versions of CF didn't let a comma slip through to mess up SQL statements. This version does. Not only that, but the javascript code in cfform.js, if extracted and run separately against a <form..>..</form> rather than a <cfform..>..</cfform> does trap and reject commas. By the way this is true of validate="date", and validate="float" also. I submitted a bug report on 9/14/15 and have had no response so far. I notice that there were reports of this on this forum back in 2014. Any thoughts other than abandon cfform?
↧