473,320 Members | 2,048 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

do you have your own regEXp to validate your string

Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears АН12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

--
Betty
Sep 11 '06 #1
3 2002
c676228 wrote:
Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document
and paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one
of our fields, it appears ??12345 in hidden field of our asp page,
but it displayed AH12345 to the customer, but our program failed
because of the data does fit into char field in sql database.
I don't know in reality, how other companies deal with those kind of
thing. Do I have write our own regExp to validate each string, since
we do need to allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?
It depends on your goal. If your goal is solely to make sure the length
of the string is not too great, then you do not need a regular
expression for that. Simply use the Len function (if using vbscript on
the server) to validate the string before inserting it into the database
table.

However, given your desire to prevent apostrophes and hyphens, it sounds
as if you also have the laudable goal of preventing SQL Injection. You
can stop a good portion of SQL Injection attacks by validating your
data. However, experienced hacker will have no problem defeating your
defences if all you do is prevent apostrophes and hyphens. The only sure
way to prevent SQL Injection is to stop using dynamic sql, i.e., stop
concatenating user inputs into strings containing sql statements. Use
parameters instead. Since you are using SQL Server (I think), my
preference would be to use stored procedures using the
"procedure-as-connection-method" technique to pass the parameter values:
http://groups.google.com/group/micro...09dc1701?hl=en

However, if you don't want to go down the learning path required for
stored procedures, you can still use parameters via ODBC parameter
markers. See:
http://groups-beta.google.com/group/...e36562fee7804e
You still should validate your data in server-side code, if only to
detect hack attempts (you don't really want to store garbage in your
database, do you?
Unfortunately, I'm no regexp expert, so someone will need to jump in
here. This google search result may contain some examples:
http://groups.google.com/groups?sour...ns&sa=N&tab=xg

Just be aware that you will need to learn how to write these regexp
validations yourself: some data fields will need to store strings that
could look like SQL INjection attempts (O'Malley), so you will need to
at least be able to modify the examples you are given.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Sep 11 '06 #2

c676228 wrote:
Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears АН12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?
Building on what Bob says, RegExp is just one tool in the box.
Sometimes it's the best one to use, but more often others, such as the
built-in functions (Len(), CLng(), Replace(), Instr() etc [VBScript])
will do what you want and are easier to work with.

The important thing to remember is to never rely on clientside
validation (not that you said you are). Clientside validation acts
solely as a convenience to 90% of your users (those that have
javascript enabled), but is easily defeated.

Specifically dealing with RegExp, once you get the hang of it, it's not
too difficult to use. There are also libraries of pre-written
Expressions that you can utilise as well eg regexlib.com

--
Mike Brind

Sep 12 '06 #3
Thank you, Mike and Bob. I think I need to validate each form field before
insert into database, using RegExp and some functions provided by the system
like Mike mentioned.
--
Betty
"Mike Brind" wrote:
>
c676228 wrote:
Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears АН12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

Building on what Bob says, RegExp is just one tool in the box.
Sometimes it's the best one to use, but more often others, such as the
built-in functions (Len(), CLng(), Replace(), Instr() etc [VBScript])
will do what you want and are easier to work with.

The important thing to remember is to never rely on clientside
validation (not that you said you are). Clientside validation acts
solely as a convenience to 90% of your users (those that have
javascript enabled), but is easily defeated.

Specifically dealing with RegExp, once you get the hang of it, it's not
too difficult to use. There are also libraries of pre-written
Expressions that you can utilise as well eg regexlib.com

--
Mike Brind

Sep 14 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Ron Brennan | last post by:
Good morning. I would like to use one or more RegExp to validate country names as having the first and last words beginning with an uppercase letter, intermediate words beginning with either...
10
by: Andrew DeFaria | last post by:
I was reading my O'Reilly JavaScript The Definitive Guide when I came across RegExp and thought I could tighten up my JavaScript code that checks for a valid email address. Why does the following...
20
by: RobG | last post by:
I'm messing with getPropertyValue (Mozilla et al) and currentStyle (IE) and have a general function (slightly modified from one originally posted by Steve van Dongen) for getting style properties:...
4
by: Jon Maz | last post by:
Hi All, I want to strip the accents off characters in a string so that, for example, the (Spanish) word "prctico" comes out as "practico" - but ignoring case, so that "PRCTICO" comes out as...
6
by: micklee74 | last post by:
hi i created a script to ask user for an input that can be a pattern right now, i use re to compile that pattern pat = re.compile(r"%s" %(userinput) ) #userinput is passed from command line...
23
by: codefire | last post by:
Hi, I am trying to get a regexp to validate email addresses but can't get it quite right. The problem is I can't quite find the regexp to deal with ignoring the case james..kirk@fred.com, which...
11
by: HopfZ | last post by:
I coudn't understand some behavior of RegExp.test function. Example html code: ---------------- <html><head></head><body><script type="text/javascript"> var r = /^https?:\/\//g;...
8
by: Ben Amada | last post by:
Hi all. I know very little about regular expressions, but wanted to use one to validate an email address a user would be entering before the form is submitted. There are many examples out there. ...
3
by: Mohammad Abou-Basha | last post by:
Hello, I've just posted a snippet on JavaScript RegExp, it's still a stub http://www.wikicodia.com/wiki/JavaScript_Regular_expression Please help me to expand it and put all information about...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, youll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.