c676228 wrote:
Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document
and paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one
of our fields, it appears ??12345 in hidden field of our asp page,
but it displayed AH12345 to the customer, but our program failed
because of the data does fit into char field in sql database.
I don't know in reality, how other companies deal with those kind of
thing. Do I have write our own regExp to validate each string, since
we do need to allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?
It depends on your goal. If your goal is solely to make sure the length
of the string is not too great, then you do not need a regular
expression for that. Simply use the Len function (if using vbscript on
the server) to validate the string before inserting it into the database
table.
However, given your desire to prevent apostrophes and hyphens, it sounds
as if you also have the laudable goal of preventing SQL Injection. You
can stop a good portion of SQL Injection attacks by validating your
data. However, experienced hacker will have no problem defeating your
defences if all you do is prevent apostrophes and hyphens. The only sure
way to prevent SQL Injection is to stop using dynamic sql, i.e., stop
concatenating user inputs into strings containing sql statements. Use
parameters instead. Since you are using SQL Server (I think), my
preference would be to use stored procedures using the
"procedure-as-connection-method" technique to pass the parameter values:
http://groups.google.com/group/micro...09dc1701?hl=en
However, if you don't want to go down the learning path required for
stored procedures, you can still use parameters via ODBC parameter
markers. See:
http://groups-beta.google.com/group/...e36562fee7804e
You still should validate your data in server-side code, if only to
detect hack attempts (you don't really want to store garbage in your
database, do you?
Unfortunately, I'm no regexp expert, so someone will need to jump in
here. This google search result may contain some examples:
http://groups.google.com/groups?sour...ns&sa=N&tab=xg
Just be aware that you will need to learn how to write these regexp
validations yourself: some data fields will need to store strings that
could look like SQL INjection attempts (O'Malley), so you will need to
at least be able to modify the examples you are given.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.