While sanitizing user-provided data, I encountered a string that ColdFusion evaluated as a date, but SQL Server didn’t agree with due to "out of range" for the date SQL Server data type. The date was 7/22/22019
.
I was curious to see what the max limit was and discovered that ColdFusion 2016 & 2018 behave differently when validating date. Apparently 12/31/292278993
is a valid date in CF2016 & 2018, but the next year doesn’t exist in CF2016. ("1/1 - 9/8" month/days are valid in CF2016, but time ceases to exist on/after 9/10/292278993
.)
I'm not sure why these dates are considered valid. If I try to store these "dates" into either Microsoft SQL Server or MySQL, both will throw an "out of range" error. Even creating an inline java-based CFQuery throws an error. If you use CreateODBCDate() using ColdFusion 2018, it will throw a hard "uncatcheable" error which can't be prevented using try/catch.
Since upgrading to ColdFusion 2016, I've had to write my own custom validation functions to deal with the shortcomings of Adobe's changes regarding how it validates integers, URLs, email... and now dates.
Here's a quick proof-of-concept script:
TryCF.com Demo
https://trycf.com/gist/01e14657a47846bb3aa7ca88295b8832
Top comments (0)