By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
444,137 Members | 2,209 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 444,137 IT Pros & Developers. It's quick & easy.

need bullet proof input validator

P: n/a
SLH
hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript due
to policy, so it all has to happen on the server. here is what i was trying,
but pieces of it continue to break for one reason or another. the thinking
behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words,
fail. (i try this by breaking up the input at space characters into an
array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might
have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function
Oct 2 '06 #1
Share this Question
Share on Google+
43 Replies


P: n/a

SLH wrote:
hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript due
to policy, so it all has to happen on the server. here is what i was trying,
but pieces of it continue to break for one reason or another. the thinking
behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words,
fail. (i try this by breaking up the input at space characters into an
array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might
have a better approach to validating the input.
thanks for any help.
Use regular expressions.

Oct 2 '06 #2

P: n/a
SLH

"Larry Bud" <la**********@yahoo.comwrote in message
news:11**********************@m7g2000cwm.googlegro ups.com...
>
SLH wrote:
>hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript
due
to policy, so it all has to happen on the server. here is what i was
trying,
but pieces of it continue to break for one reason or another. the
thinking
behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any
words,
fail. (i try this by breaking up the input at space characters into an
array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3
spaces?)
since there are too many moving parts here i was hoping someone else
might
have a better approach to validating the input.
thanks for any help.

Use regular expressions.
thanks, sounds great. i was kinda hoping for help though. maybe in the form
of a good example? regular expressions arent exactly my strong point.
Oct 2 '06 #3

P: n/a
SLH wrote on 02 Oct 2006 in microsoft.public.inetserver.asp.general:
>Use regular expressions.

thanks, sounds great. i was kinda hoping for help though. maybe in the
form of a good example? regular expressions arent exactly my strong
point.
We all had to learn.
Ther best help is if you start of, and we go along.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Oct 2 '06 #4

P: n/a
try this
Function IsGoodInput(str)

IsGoodInput = True
Dim MyArray, i

'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0

MyArray = Split(str, " ")

'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if

'if its 10 characters or greater, but it doesnt appear to contain any words,
'fail. (i try this by breaking up the input at space characters into an
'array. valid input should have several spaces, indicating several words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------

If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
"SLH" <SL*@SLH.SLHwrote in message news:uf**************@TK2MSFTNGP05.phx.gbl...
hi people. im trying to validate input received via a text area on an ASP page before writing it to a database. i cant use client
side javascript due to policy, so it all has to happen on the server. here is what i was trying, but pieces of it continue to
break for one reason or another. the thinking behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words, fail. (i try this by breaking up the input at space
characters into an array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10 characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data has a newline, it fails (not sure why. is a newline
looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function

Oct 2 '06 #5

P: n/a
SLH
thank you! here is what i have now:

Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function

im tryng to see if/where this will fail and so far all i can see is that if
i enter:

line1
line2

it fails. i guess because there are no spaces. only a newline after the
first word.
can you see anything clever to fix it so that this input would be valid?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
try this
Function IsGoodInput(str)

IsGoodInput = True
Dim MyArray, i

'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0

MyArray = Split(str, " ")

'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if

'if its 10 characters or greater, but it doesnt appear to contain any
words,
'fail. (i try this by breaking up the input at space characters into an
'array. valid input should have several spaces, indicating several words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------

If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
"SLH" <SL*@SLH.SLHwrote in message
news:uf**************@TK2MSFTNGP05.phx.gbl...
>hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript
due to policy, so it all has to happen on the server. here is what i was
trying, but pieces of it continue to break for one reason or another. the
thinking behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any
words, fail. (i try this by breaking up the input at space characters
into an array. valid input should have several spaces, indicating several
words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3
spaces?)
since there are too many moving parts here i was hoping someone else
might have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function


Oct 2 '06 #6

P: n/a
replace(str, vbnewline," " )
"SLH" <SL*@SLH.SLHwrote in message news:%2****************@TK2MSFTNGP05.phx.gbl...
thank you! here is what i have now:

Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function

im tryng to see if/where this will fail and so far all i can see is that if i enter:

line1
line2

it fails. i guess because there are no spaces. only a newline after the first word.
can you see anything clever to fix it so that this input would be valid?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
>try this
Function IsGoodInput(str)

IsGoodInput = True
Dim MyArray, i

'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0

MyArray = Split(str, " ")

'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if

'if its 10 characters or greater, but it doesnt appear to contain any words,
'fail. (i try this by breaking up the input at space characters into an
'array. valid input should have several spaces, indicating several words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------

If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
"SLH" <SL*@SLH.SLHwrote in message news:uf**************@TK2MSFTNGP05.phx.gbl...
>>hi people. im trying to validate input received via a text area on an ASP page before writing it to a database. i cant use
client side javascript due to policy, so it all has to happen on the server. here is what i was trying, but pieces of it
continue to break for one reason or another. the thinking behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words, fail. (i try this by breaking up the input at space
characters into an array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10 characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data has a newline, it fails (not sure why. is a newline
looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function



Oct 2 '06 #7

P: n/a
SLH
thank you.
that wouldnt work because when i later write the data from the DB to the
html page i need to preserver formatting, including newlines.
its ok though. i realize that NO inpute will be valid without a space. so i
should be ok.

thanks for your help

"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
replace(str, vbnewline," " )
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
>thank you! here is what i have now:

Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function

im tryng to see if/where this will fail and so far all i can see is that
if i enter:

line1
line2

it fails. i guess because there are no spaces. only a newline after the
first word.
can you see anything clever to fix it so that this input would be valid?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
>>try this
Function IsGoodInput(str)

IsGoodInput = True
Dim MyArray, i

'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0

MyArray = Split(str, " ")

'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if

'if its 10 characters or greater, but it doesnt appear to contain any
words,
'fail. (i try this by breaking up the input at space characters into an
'array. valid input should have several spaces, indicating several
words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------

If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
"SLH" <SL*@SLH.SLHwrote in message
news:uf**************@TK2MSFTNGP05.phx.gbl...
hi people. im trying to validate input received via a text area on an
ASP page before writing it to a database. i cant use client side
javascript due to policy, so it all has to happen on the server. here
is what i was trying, but pieces of it continue to break for one reason
or another. the thinking behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any
words, fail. (i try this by breaking up the input at space characters
into an array. valid input should have several spaces, indicating
several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than
10 characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the
data has a newline, it fails (not sure why. is a newline looked at as 3
spaces?)
since there are too many moving parts here i was hoping someone else
might have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function



Oct 2 '06 #8

P: n/a
assign str to tempStr then validate - if ok, then save str
"SLH" <SL*@SLH.SLHwrote in message news:uJ*************@TK2MSFTNGP02.phx.gbl...
thank you.
that wouldnt work because when i later write the data from the DB to the html page i need to preserver formatting, including
newlines.
its ok though. i realize that NO inpute will be valid without a space. so i should be ok.

thanks for your help

"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
>replace(str, vbnewline," " )
"SLH" <SL*@SLH.SLHwrote in message news:%2****************@TK2MSFTNGP05.phx.gbl...
>>thank you! here is what i have now:

Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function

im tryng to see if/where this will fail and so far all i can see is that if i enter:

line1
line2

it fails. i guess because there are no spaces. only a newline after the first word.
can you see anything clever to fix it so that this input would be valid?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
try this
Function IsGoodInput(str)

IsGoodInput = True
Dim MyArray, i

'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0

MyArray = Split(str, " ")

'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if

'if its 10 characters or greater, but it doesnt appear to contain any words,
'fail. (i try this by breaking up the input at space characters into an
'array. valid input should have several spaces, indicating several words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------

If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
"SLH" <SL*@SLH.SLHwrote in message news:uf**************@TK2MSFTNGP05.phx.gbl...
hi people. im trying to validate input received via a text area on an ASP page before writing it to a database. i cant use
client side javascript due to policy, so it all has to happen on the server. here is what i was trying, but pieces of it
continue to break for one reason or another. the thinking behind this function was like this:
>
if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words, fail. (i try this by breaking up the input at
space characters into an array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10 characters. (by looping through the words in the
array)
>
different parts of this fail at different times. for instance if the data has a newline, it fails (not sure why. is a newline
looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might have a better approach to validating the input.
thanks for any help.
>
>
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function
>




Oct 2 '06 #9

P: n/a
SLH
hey i have to duplicate this function in javascript. the only part im
struggling with is the following:

Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop

the javascript replace function sucks. it only replaces the first occurence
of what youre looking for.... any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
assign str to tempStr then validate - if ok, then save str
"SLH" <SL*@SLH.SLHwrote in message
news:uJ*************@TK2MSFTNGP02.phx.gbl...
>thank you.
that wouldnt work because when i later write the data from the DB to the
html page i need to preserver formatting, including newlines.
its ok though. i realize that NO inpute will be valid without a space. so
i should be ok.

thanks for your help

"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
>>replace(str, vbnewline," " )
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl.. .
thank you! here is what i have now:

Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function

im tryng to see if/where this will fail and so far all i can see is
that if i enter:

line1
line2

it fails. i guess because there are no spaces. only a newline after the
first word.
can you see anything clever to fix it so that this input would be
valid?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
try this
>
>
Function IsGoodInput(str)
>
IsGoodInput = True
Dim MyArray, i
>
'Remove double spaces
'----------------------------
Do
str = Replace(Trim(str)," "," ")
loop while Instr(str," ") 0
>
MyArray = Split(str, " ")
>
'check min length
' if the input is less than 10 characters long, fail.
'---------------------------------------------------------------
If Len(str) < 10 Then
IsGoodInput = False
exit function
End if
>
'if its 10 characters or greater, but it doesnt appear to contain any
words,
'fail. (i try this by breaking up the input at space characters into
an
'array. valid input should have several spaces, indicating several
words)
'
'make sure no words are longer than 10 characters. (?)
'(by looping through the words in the array)
'--------------------------------------------------------
>
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
Then
IsGoodInput = False
exit function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
exit function
End If
Next
End If
End Function
>
>
"SLH" <SL*@SLH.SLHwrote in message
news:uf**************@TK2MSFTNGP05.phx.gbl.. .
>hi people. im trying to validate input received via a text area on an
>ASP page before writing it to a database. i cant use client side
>javascript due to policy, so it all has to happen on the server. here
>is what i was trying, but pieces of it continue to break for one
>reason or another. the thinking behind this function was like this:
>>
>if the input is less than 10 characters long, fail.
>if its 10 characters or greater, but it doesnt appear to contain any
>words, fail. (i try this by breaking up the input at space characters
>into an array. valid input should have several spaces, indicating
>several words)
>if there are 3 consecutive spaces, fail. (this cant be valid).
>then if all that passes, i need to make sure no words are longer than
>10 characters. (by looping through the words in the array)
>>
>different parts of this fail at different times. for instance if the
>data has a newline, it fails (not sure why. is a newline looked at as
>3 spaces?)
>since there are too many moving parts here i was hoping someone else
>might have a better approach to validating the input.
>thanks for any help.
>>
>>
>Function IsGoodInput(str)
>IsGoodInput = True
>Dim MyArray, i
>MyArray = Split(str, " ")
>If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
>Then
> IsGoodInput = False
>Else
> For i = 0 To UBound(MyArray)
> If Len(MyArray(i)) 10 Then
> IsGoodInput = False
> Exit For
> End If
> Next
>End If
>End Function
>>
>
>




Oct 2 '06 #10

P: n/a
In addition to suggestions here, I'd also check to see if the strings "<%" or "%>" are
in the input, and if it is, invalidate the input and ban the IP address.

Of course, you'll want to set up the test strings like this:
strBad1 = "<" & "%"
strBad2 = "%" & ">"

After that, see if the characters "<" or ">" are in the string, and if it is, invalidate
the input.

"SLH" <SL*@SLH.SLHwrote in message news:uf**************@TK2MSFTNGP05.phx.gbl...
hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript due
to policy, so it all has to happen on the server. here is what i was trying,
but pieces of it continue to break for one reason or another. the thinking
behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any words,
fail. (i try this by breaking up the input at space characters into an
array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
since there are too many moving parts here i was hoping someone else might
have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function


Oct 2 '06 #11

P: n/a
http://www.tizag.com/javascriptT/jav...ng-replace.php

"SLH" <SL*@SLH.SLHwrote in message news:%2****************@TK2MSFTNGP04.phx.gbl...
hey i have to duplicate this function in javascript. the only part im struggling with is the following:

Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop

the javascript replace function sucks. it only replaces the first occurence of what youre looking for.... any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
>assign str to tempStr then validate - if ok, then save str
"SLH" <SL*@SLH.SLHwrote in message news:uJ*************@TK2MSFTNGP02.phx.gbl...
>>thank you.
that wouldnt work because when i later write the data from the DB to the html page i need to preserver formatting, including
newlines.
its ok though. i realize that NO inpute will be valid without a space. so i should be ok.

thanks for your help

"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
replace(str, vbnewline," " )
"SLH" <SL*@SLH.SLHwrote in message news:%2****************@TK2MSFTNGP05.phx.gbl...
thank you! here is what i have now:
>
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop
If Len(str) < 10 Or Len(str) 1000 Then
IsGoodInput = False
Exit Function
End if
MyArray = Split(str, " ")
If UBound(MyArray) = 0 Then
IsGoodInput = False
Exit Function
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit Function
End If
Next
End If
End Function
>
im tryng to see if/where this will fail and so far all i can see is that if i enter:
>
line1
line2
>
it fails. i guess because there are no spaces. only a newline after the first word.
can you see anything clever to fix it so that this input would be valid?
>
>
>
>
>
>
"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message news:12*************@corp.supernews.com...
>try this
>>
>>
>Function IsGoodInput(str)
>>
> IsGoodInput = True
> Dim MyArray, i
>>
>'Remove double spaces
>'----------------------------
>Do
> str = Replace(Trim(str)," "," ")
>loop while Instr(str," ") 0
>>
> MyArray = Split(str, " ")
>>
>'check min length
>' if the input is less than 10 characters long, fail.
>'---------------------------------------------------------------
>If Len(str) < 10 Then
> IsGoodInput = False
> exit function
>End if
>>
>'if its 10 characters or greater, but it doesnt appear to contain any words,
>'fail. (i try this by breaking up the input at space characters into an
>'array. valid input should have several spaces, indicating several words)
>'
>'make sure no words are longer than 10 characters. (?)
>'(by looping through the words in the array)
>'--------------------------------------------------------
>>
> If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
> IsGoodInput = False
> exit function
>Else
> For i = 0 To UBound(MyArray)
> If Len(MyArray(i)) 10 Then
> IsGoodInput = False
> exit function
> End If
> Next
>End If
>End Function
>>
>>
>"SLH" <SL*@SLH.SLHwrote in message news:uf**************@TK2MSFTNGP05.phx.gbl...
>>hi people. im trying to validate input received via a text area on an ASP page before writing it to a database. i cant use
>>client side javascript due to policy, so it all has to happen on the server. here is what i was trying, but pieces of it
>>continue to break for one reason or another. the thinking behind this function was like this:
>>>
>>if the input is less than 10 characters long, fail.
>>if its 10 characters or greater, but it doesnt appear to contain any words, fail. (i try this by breaking up the input at
>>space characters into an array. valid input should have several spaces, indicating several words)
>>if there are 3 consecutive spaces, fail. (this cant be valid).
>>then if all that passes, i need to make sure no words are longer than 10 characters. (by looping through the words in the
>>array)
>>>
>>different parts of this fail at different times. for instance if the data has a newline, it fails (not sure why. is a
>>newline looked at as 3 spaces?)
>>since there are too many moving parts here i was hoping someone else might have a better approach to validating the input.
>>thanks for any help.
>>>
>>>
>>Function IsGoodInput(str)
>>IsGoodInput = True
>>Dim MyArray, i
>>MyArray = Split(str, " ")
>>If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
>> IsGoodInput = False
>>Else
>> For i = 0 To UBound(MyArray)
>> If Len(MyArray(i)) 10 Then
>> IsGoodInput = False
>> Exit For
>> End If
>> Next
>>End If
>>End Function
>>>
>>
>>
>
>




Oct 3 '06 #12

P: n/a
SLH
almost... but that only makes one pass at the string.
so if there are 4 spaces, it replaces that with 2 spaces, but then leaves it
alone.
i somehow have to continue to loop through the string while there are 2
spaces in a row... just like the VBS one.

im going to go play, but do you have any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
http://www.tizag.com/javascriptT/jav...ng-replace.php

"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
>hey i have to duplicate this function in javascript. the only part im
struggling with is the following:

Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop

the javascript replace function sucks. it only replaces the first
occurence of what youre looking for.... any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
>>assign str to tempStr then validate - if ok, then save str
"SLH" <SL*@SLH.SLHwrote in message
news:uJ*************@TK2MSFTNGP02.phx.gbl...
thank you.
that wouldnt work because when i later write the data from the DB to
the html page i need to preserver formatting, including newlines.
its ok though. i realize that NO inpute will be valid without a space.
so i should be ok.

thanks for your help

"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
replace(str, vbnewline," " )
>
>
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl.. .
>thank you! here is what i have now:
>>
>Function IsGoodInput(str)
>IsGoodInput = True
>Dim MyArray, i
>Do While InStr(str," ") 0
> str = Replace(Trim(str)," "," ")
>Loop
>If Len(str) < 10 Or Len(str) 1000 Then
> IsGoodInput = False
> Exit Function
>End if
>MyArray = Split(str, " ")
>If UBound(MyArray) = 0 Then
> IsGoodInput = False
> Exit Function
>Else
> For i = 0 To UBound(MyArray)
> If Len(MyArray(i)) 10 Then
> IsGoodInput = False
> Exit Function
> End If
> Next
>End If
>End Function
>>
>im tryng to see if/where this will fail and so far all i can see is
>that if i enter:
>>
>line1
>line2
>>
>it fails. i guess because there are no spaces. only a newline after
>the first word.
>can you see anything clever to fix it so that this input would be
>valid?
>>
>>
>>
>>
>>
>>
>"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
>news:12*************@corp.supernews.com...
>>try this
>>>
>>>
>>Function IsGoodInput(str)
>>>
>> IsGoodInput = True
>> Dim MyArray, i
>>>
>>'Remove double spaces
>>'----------------------------
>>Do
>> str = Replace(Trim(str)," "," ")
>>loop while Instr(str," ") 0
>>>
>> MyArray = Split(str, " ")
>>>
>>'check min length
>>' if the input is less than 10 characters long, fail.
>>'---------------------------------------------------------------
>>If Len(str) < 10 Then
>> IsGoodInput = False
>> exit function
>>End if
>>>
>>'if its 10 characters or greater, but it doesnt appear to contain
>>any words,
>>'fail. (i try this by breaking up the input at space characters into
>>an
>>'array. valid input should have several spaces, indicating several
>>words)
>>'
>>'make sure no words are longer than 10 characters. (?)
>>'(by looping through the words in the array)
>>'--------------------------------------------------------
>>>
>> If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
>>Then
>> IsGoodInput = False
>> exit function
>>Else
>> For i = 0 To UBound(MyArray)
>> If Len(MyArray(i)) 10 Then
>> IsGoodInput = False
>> exit function
>> End If
>> Next
>>End If
>>End Function
>>>
>>>
>>"SLH" <SL*@SLH.SLHwrote in message
>>news:uf**************@TK2MSFTNGP05.phx.gbl.. .
>>>hi people. im trying to validate input received via a text area on
>>>an ASP page before writing it to a database. i cant use client side
>>>javascript due to policy, so it all has to happen on the server.
>>>here is what i was trying, but pieces of it continue to break for
>>>one reason or another. the thinking behind this function was like
>>>this:
>>>>
>>>if the input is less than 10 characters long, fail.
>>>if its 10 characters or greater, but it doesnt appear to contain
>>>any words, fail. (i try this by breaking up the input at space
>>>characters into an array. valid input should have several spaces,
>>>indicating several words)
>>>if there are 3 consecutive spaces, fail. (this cant be valid).
>>>then if all that passes, i need to make sure no words are longer
>>>than 10 characters. (by looping through the words in the array)
>>>>
>>>different parts of this fail at different times. for instance if
>>>the data has a newline, it fails (not sure why. is a newline looked
>>>at as 3 spaces?)
>>>since there are too many moving parts here i was hoping someone
>>>else might have a better approach to validating the input.
>>>thanks for any help.
>>>>
>>>>
>>>Function IsGoodInput(str)
>>>IsGoodInput = True
>>>Dim MyArray, i
>>>MyArray = Split(str, " ")
>>>If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
>>>Then
>>> IsGoodInput = False
>>>Else
>>> For i = 0 To UBound(MyArray)
>>> If Len(MyArray(i)) 10 Then
>>> IsGoodInput = False
>>> Exit For
>>> End If
>>> Next
>>>End If
>>>End Function
>>>>
>>>
>>>
>>
>>
>
>




Oct 3 '06 #13

P: n/a
SLH
if i HHTPEncode the string before i write it to the database, that should
take care of that... no?


"Victor" <vi*@vic.comwrote in message
news:eO*************@TK2MSFTNGP02.phx.gbl...
In addition to suggestions here, I'd also check to see if the strings "<%"
or "%>" are
in the input, and if it is, invalidate the input and ban the IP address.

Of course, you'll want to set up the test strings like this:
strBad1 = "<" & "%"
strBad2 = "%" & ">"

After that, see if the characters "<" or ">" are in the string, and if it
is, invalidate
the input.

"SLH" <SL*@SLH.SLHwrote in message
news:uf**************@TK2MSFTNGP05.phx.gbl...
>hi people. im trying to validate input received via a text area on an ASP
page before writing it to a database. i cant use client side javascript
due
to policy, so it all has to happen on the server. here is what i was
trying,
but pieces of it continue to break for one reason or another. the
thinking
behind this function was like this:

if the input is less than 10 characters long, fail.
if its 10 characters or greater, but it doesnt appear to contain any
words,
fail. (i try this by breaking up the input at space characters into an
array. valid input should have several spaces, indicating several words)
if there are 3 consecutive spaces, fail. (this cant be valid).
then if all that passes, i need to make sure no words are longer than 10
characters. (by looping through the words in the array)

different parts of this fail at different times. for instance if the data
has a newline, it fails (not sure why. is a newline looked at as 3
spaces?)
since there are too many moving parts here i was hoping someone else
might
have a better approach to validating the input.
thanks for any help.
Function IsGoodInput(str)
IsGoodInput = True
Dim MyArray, i
MyArray = Split(str, " ")
If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0 Then
IsGoodInput = False
Else
For i = 0 To UBound(MyArray)
If Len(MyArray(i)) 10 Then
IsGoodInput = False
Exit For
End If
Next
End If
End Function



Oct 3 '06 #14

P: n/a
SLH
this seems to work nicely:

function replaceall(str, lookfor, changeto) {
str = str.replace(/^\s*|\s*$/g,""); //trim leading and trailing spaces
first
var temp = str;
var i = temp.indexOf(lookfor);
while(i -1) {
temp = temp.replace(lookfor, changeto);
i = temp.indexOf(lookfor);
}
return temp;
}


"SLH" <no@spam.comwrote in message
news:OG**************@TK2MSFTNGP02.phx.gbl...
almost... but that only makes one pass at the string.
so if there are 4 spaces, it replaces that with 2 spaces, but then leaves
it alone.
i somehow have to continue to loop through the string while there are 2
spaces in a row... just like the VBS one.

im going to go play, but do you have any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
>http://www.tizag.com/javascriptT/jav...ng-replace.php

"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
>>hey i have to duplicate this function in javascript. the only part im
struggling with is the following:

Do While InStr(str," ") 0
str = Replace(Trim(str)," "," ")
Loop

the javascript replace function sucks. it only replaces the first
occurence of what youre looking for.... any ideas?


"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
assign str to tempStr then validate - if ok, then save str
"SLH" <SL*@SLH.SLHwrote in message
news:uJ*************@TK2MSFTNGP02.phx.gbl...
thank you.
that wouldnt work because when i later write the data from the DB to
the html page i need to preserver formatting, including newlines.
its ok though. i realize that NO inpute will be valid without a space.
so i should be ok.
>
thanks for your help
>
>
>
"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
news:12*************@corp.supernews.com...
>replace(str, vbnewline," " )
>>
>>
>"SLH" <SL*@SLH.SLHwrote in message
>news:%2****************@TK2MSFTNGP05.phx.gbl. ..
>>thank you! here is what i have now:
>>>
>>Function IsGoodInput(str)
>>IsGoodInput = True
>>Dim MyArray, i
>>Do While InStr(str," ") 0
>> str = Replace(Trim(str)," "," ")
>>Loop
>>If Len(str) < 10 Or Len(str) 1000 Then
>> IsGoodInput = False
>> Exit Function
>>End if
>>MyArray = Split(str, " ")
>>If UBound(MyArray) = 0 Then
>> IsGoodInput = False
>> Exit Function
>>Else
>> For i = 0 To UBound(MyArray)
>> If Len(MyArray(i)) 10 Then
>> IsGoodInput = False
>> Exit Function
>> End If
>> Next
>>End If
>>End Function
>>>
>>im tryng to see if/where this will fail and so far all i can see is
>>that if i enter:
>>>
>>line1
>>line2
>>>
>>it fails. i guess because there are no spaces. only a newline after
>>the first word.
>>can you see anything clever to fix it so that this input would be
>>valid?
>>>
>>>
>>>
>>>
>>>
>>>
>>"Jon Paal" <Jon nospam Paal @ everywhere dot comwrote in message
>>news:12*************@corp.supernews.com...
>>>try this
>>>>
>>>>
>>>Function IsGoodInput(str)
>>>>
>>> IsGoodInput = True
>>> Dim MyArray, i
>>>>
>>>'Remove double spaces
>>>'----------------------------
>>>Do
>>> str = Replace(Trim(str)," "," ")
>>>loop while Instr(str," ") 0
>>>>
>>> MyArray = Split(str, " ")
>>>>
>>>'check min length
>>>' if the input is less than 10 characters long, fail.
>>>'---------------------------------------------------------------
>>>If Len(str) < 10 Then
>>> IsGoodInput = False
>>> exit function
>>>End if
>>>>
>>>'if its 10 characters or greater, but it doesnt appear to contain
>>>any words,
>>>'fail. (i try this by breaking up the input at space characters
>>>into an
>>>'array. valid input should have several spaces, indicating several
>>>words)
>>>'
>>>'make sure no words are longer than 10 characters. (?)
>>>'(by looping through the words in the array)
>>>'--------------------------------------------------------
>>>>
>>> If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
>>>Then
>>> IsGoodInput = False
>>> exit function
>>>Else
>>> For i = 0 To UBound(MyArray)
>>> If Len(MyArray(i)) 10 Then
>>> IsGoodInput = False
>>> exit function
>>> End If
>>> Next
>>>End If
>>>End Function
>>>>
>>>>
>>>"SLH" <SL*@SLH.SLHwrote in message
>>>news:uf**************@TK2MSFTNGP05.phx.gbl. ..
>>>>hi people. im trying to validate input received via a text area on
>>>>an ASP page before writing it to a database. i cant use client
>>>>side javascript due to policy, so it all has to happen on the
>>>>server. here is what i was trying, but pieces of it continue to
>>>>break for one reason or another. the thinking behind this function
>>>>was like this:
>>>>>
>>>>if the input is less than 10 characters long, fail.
>>>>if its 10 characters or greater, but it doesnt appear to contain
>>>>any words, fail. (i try this by breaking up the input at space
>>>>characters into an array. valid input should have several spaces,
>>>>indicating several words)
>>>>if there are 3 consecutive spaces, fail. (this cant be valid).
>>>>then if all that passes, i need to make sure no words are longer
>>>>than 10 characters. (by looping through the words in the array)
>>>>>
>>>>different parts of this fail at different times. for instance if
>>>>the data has a newline, it fails (not sure why. is a newline
>>>>looked at as 3 spaces?)
>>>>since there are too many moving parts here i was hoping someone
>>>>else might have a better approach to validating the input.
>>>>thanks for any help.
>>>>>
>>>>>
>>>>Function IsGoodInput(str)
>>>>IsGoodInput = True
>>>>Dim MyArray, i
>>>>MyArray = Split(str, " ")
>>>>If Len(str) < 10 Or InStr(str, " ") <0 Or UBound(MyArray) = 0
>>>>Then
>>>> IsGoodInput = False
>>>>Else
>>>> For i = 0 To UBound(MyArray)
>>>> If Len(MyArray(i)) 10 Then
>>>> IsGoodInput = False
>>>> Exit For
>>>> End If
>>>> Next
>>>>End If
>>>>End Function
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>




Oct 3 '06 #15

P: n/a
Victor wrote:
In addition to suggestions here, I'd also check to see if
the strings "<%" or "%>" are in the input, and if it is,
invalidate the input and ban the IP address.
That's just plain stupid.

For one thing, you imply that the server will somehow respond to the text as
though it should switch context and execute the contents. This is UTTERLY
without merit. It cannot happen because the script is parsed *before* it is
interpreted. Context blocks are already determined before those strings are
ever encountered.

Secondly, you imply that there is no legitimate reason to use those
character sequences while simultaneously using those character sequences to
make your "suggestion". This is pure hypocrisy.

Lastly, you cannot effectively ban a user by "banning the IP address".
Besides introducing a hurdle for anyone behind the same proxy as your
"offender", you assume the user has a static address.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 3 '06 #16

P: n/a
SLH wrote:
if i HHTPEncode the string before i write it to the
database, that should take care of that... no?
You mean HTMLEncode?

In my opinion (and in my shop), it is preferable to store the input AS
ENTERED. This leads to the decision of what is allowable. If we decide to
allow free-form text, we always *diaplay* that text with
Server.HTMLEncode().

If not, we audit the input for format compatibility and reject it when it
does not fit. That way, our database always reflects *EXACTLY* what the user
submitted.

Among other things, this makes searching more accurate and abbreviates the
need to perform stupid "compatibility" validation. It also makes our
processes more rubust, since this approach does not permit us to take
shortcuts on security.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 3 '06 #17

P: n/a
SLH
thanks Dave.

so youre saying validate the input when submitted, write it to the database
AS IS, then Server.HTMLEncode as i pull it FROM the database to display on
the page?

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:OD**************@TK2MSFTNGP06.phx.gbl...
Victor wrote:
>In addition to suggestions here, I'd also check to see if
the strings "<%" or "%>" are in the input, and if it is,
invalidate the input and ban the IP address.

That's just plain stupid.

For one thing, you imply that the server will somehow respond to the text
as though it should switch context and execute the contents. This is
UTTERLY without merit. It cannot happen because the script is parsed
*before* it is interpreted. Context blocks are already determined before
those strings are ever encountered.

Secondly, you imply that there is no legitimate reason to use those
character sequences while simultaneously using those character sequences
to make your "suggestion". This is pure hypocrisy.

Lastly, you cannot effectively ban a user by "banning the IP address".
Besides introducing a hurdle for anyone behind the same proxy as your
"offender", you assume the user has a static address.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms.

Oct 3 '06 #18

P: n/a
SLH wrote:
thanks Dave.

so youre saying validate the input when submitted, write it to
the database AS IS, then Server.HTMLEncode as i pull it FROM
the database to display on the page?
Mostly, yes.

If your validation PRECLUDES the possibility of unwanted characters, then
HTMLEncode might be considered superfluous. I would certainly not criticize
you for using it anyway.

I am also saying that by using the right approach, you can limit your
validation to something as little as string length (since your DB field
almost certainly requires you to chaeck for that).

The decision to forego validation DOES mean you must protect yourself from
SQL injection, however. This is best done with parametrized stored
procedures, IMO. It is also fairly convenient to use the
SP-as-method-of-connection technique when inserting the data, though it is
not always possible.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 3 '06 #19

P: n/a
SLH

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
SLH wrote:
>thanks Dave.

so youre saying validate the input when submitted, write it to
the database AS IS, then Server.HTMLEncode as i pull it FROM
the database to display on the page?

Mostly, yes.

If your validation PRECLUDES the possibility of unwanted characters, then
HTMLEncode might be considered superfluous. I would certainly not
criticize you for using it anyway.
i have a field where it could be perfectly valid to submit "<%" or "%>" for
example.
since i would want to allow this input, how would you recommend i go about
the whole thing to make it as sound as possible?
>
I am also saying that by using the right approach, you can limit your
validation to something as little as string length (since your DB field
almost certainly requires you to chaeck for that).

The decision to forego validation DOES mean you must protect yourself from
SQL injection, however. This is best done with parametrized stored
procedures, IMO. It is also fairly convenient to use the
SP-as-method-of-connection technique when inserting the data, though it is
not always possible.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms.

Oct 3 '06 #20

P: n/a
SLH wrote:
i have a field where it could be perfectly valid to
submit "<%" or "%>" for example.
since i would want to allow this input, how would you
recommend i go about the whole thing to make it as sound
as possible?
Well, the display is a solved problem: Server.HTMLEncode().

As for storing it in a database, that dpends on the database. What are you
using?

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 3 '06 #21

P: n/a
SLH

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
SLH wrote:
>i have a field where it could be perfectly valid to
submit "<%" or "%>" for example.
since i would want to allow this input, how would you
recommend i go about the whole thing to make it as sound
as possible?

Well, the display is a solved problem: Server.HTMLEncode().

As for storing it in a database, that dpends on the database. What are you
using?

its Access for now. couldnt i just store it in the database as is then
HTMLEncode as its coming out to be displayed?
hope so because thats how it is as of now

>
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms.

Oct 3 '06 #22

P: n/a
SLH wrote:
>As for storing it in a database, that dpends on the database.
What are you using?

its Access for now. couldnt i just store it in the database as
is then HTMLEncode as its coming out to be displayed?
hope so because thats how it is as of now
Yes. That is precisely what I would do.

However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures. I suppose you can just escape your
single quotes, but that's just a swing in the dark.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 3 '06 #23

P: n/a
SLH

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
SLH wrote:
>>As for storing it in a database, that dpends on the database.
What are you using?

its Access for now. couldnt i just store it in the database as
is then HTMLEncode as its coming out to be displayed?
hope so because thats how it is as of now

Yes. That is precisely what I would do.

However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures. I suppose you can just escape
your single quotes, but that's just a swing in the dark.

Access does in fact have stored procedures. im using them for some pages but
not others.
where i dont use them i replace single quotes with 2 single quotes

thanks for your help

>

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms.

Oct 3 '06 #24

P: n/a


"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
SLH wrote:
>
However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures.

It's very similar to how you would do it in SQL Server. Instead of a stored
procedure, you create a saved query. However, saved queries are just that -
saved individual sql statements, with parameters if you want. You would
call them in exactly the same way as with stored procs:

conn.qMySavedQuery parm1, parm2, parm3...

Access 2003 will even let you use similar syntax to SQL Server:

CREATE PROCEDURE qMySavedQuery
AS
INSERT INTO tbl
(
fld1,
fld2,
fld3
)
VALUES
(
@textvalue1,
@textvalue2,
@textvalue3
)

You don't declare the parameters or give there datatypes. Older versions of
Access will automatically surround parameter markers with [ ] brackets, and
some silly things go on if you open the query in design view. But, for
Access users, they are as effective against SQL Injection as stored procs in
SQL Server.

--
Mike Brind
Oct 4 '06 #25

P: n/a
Dave Anderson wrote:
SLH wrote:
>>As for storing it in a database, that dpends on the database.
What are you using?

its Access for now. couldnt i just store it in the database as
is then HTMLEncode as its coming out to be displayed?
hope so because thats how it is as of now

Yes. That is precisely what I would do.

However, I haven't got a clue about preventing SQL injection in
Access, since it does not have stored procedures.
That's not relevant. SQL Injection can occur in SQL Server even (especially)
when stored procedures are not being used. Any application that uses dynamic
sql instead of parameters is vulnerable to injection. Preventing injection
for Jet involves the same techniques as preveinting it for SQL Server: it
all boils down to: don't use concatenation to insert user inputs into sql
statements; use parameters.
I suppose you can
just escape your single quotes, but that's just a swing in the dark.
While this will certainly be more effective with Jet than for SQL Server,
using parameters will prvent any loopholes.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Oct 4 '06 #26

P: n/a
Bob Barrows [MVP] wrote:
>I haven't got a clue about preventing SQL injection in
Access, since it does not have stored procedures.

That's not relevant...don't use concatenation to insert
user inputs into sql statements; use parameters.
Well, it certainly is relevant to my point. I had already recommended
parameterized stored procedures, and was merely making the point that, since
I know little about Access (other than the fact that it does not have SPs),
I could not offer a suggestion. I made that knowing full well that
concatenation is the problem.

I was unaware that Access has saved queries because I generally lose
interest in a thread as soon as Access is mentioned.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 4 '06 #27

P: n/a

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
Bob Barrows [MVP] wrote:
>>I haven't got a clue about preventing SQL injection in
Access, since it does not have stored procedures.

That's not relevant...don't use concatenation to insert
user inputs into sql statements; use parameters.

Well, it certainly is relevant to my point. I had already recommended
parameterized stored procedures, and was merely making the point that,
since I know little about Access (other than the fact that it does not
have SPs), I could not offer a suggestion. I made that knowing full well
that concatenation is the problem.
It's not relevant to preventing SQL injection in Access/SQL Server. You
can use the Command object and parameter markers in your ASP page. No need
for stored procs/saved queries at all.

--
Mike Brind
Oct 4 '06 #28

P: n/a
Well, the only reason why someone would put "%>" or "<%" in an input string is because
they are a baddie, so you'll want to ban their IP with extreme prejudice because it
makes good sense to do so.
"SLH" wrote...
if i HHTPEncode the string before i write it to the database, that should
take care of that... no?
"Victor" wrote...
In addition to suggestions here, I'd also check to see if the strings "<%"
or "%>" are
in the input, and if it is, invalidate the input and ban the IP address.

Of course, you'll want to set up the test strings like this:
strBad1 = "<" & "%"
strBad2 = "%" & ">"

After that, see if the characters "<" or ">" are in the string, and if it
is, invalidate
the input.

Oct 4 '06 #29

P: n/a
You yourself have typed it twice in this thread alone.

On Wed, 04 Oct 2006 11:39:31 -0500, Victor <vi*@vic.comwrote:
Well, the only reason why someone would put "%>" or "<%" in an input
string is because
they are a baddie, so you'll want to ban their IP with extreme prejudice
because it
makes good sense to do so.

"SLH" wrote..
>if i HHTPEncode the string before i write it to the database, that
should
take care of that... no?
"Victor" wrote...
In addition to suggestions here, I'd also check to see if the strings
"<%"
or "%>" are
in the input, and if it is, invalidate the input and ban the IP
address.
Oct 4 '06 #30

P: n/a
Victor wrote:
Well, the only reason why someone would put "%>" or "<%" in an
input string is because they are a baddie, so you'll want to ban
their IP with extreme prejudice because it makes good sense to
do so.
Hypocrite.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 4 '06 #31

P: n/a
You seem to grasp the obvious - thanks for noticing!

"Justin Piper" wrote...
You yourself have typed it twice in this thread alone.

On Wed, 04 Oct 2006 11:39:31 -0500, Victor wrote:
Well, the only reason why someone would put "%>" or "<%" in an input
string is because
they are a baddie, so you'll want to ban their IP with extreme prejudice
because it
makes good sense to do so.

"SLH" wrote..
if i HHTPEncode the string before i write it to the database, that
should
take care of that... no?
"Victor" wrote...
In addition to suggestions here, I'd also check to see if the strings
"<%"
or "%>" are
in the input, and if it is, invalidate the input and ban the IP
address.

Oct 4 '06 #32

P: n/a

"Dave Anderson" wrote...
Victor wrote:
Well, the only reason why someone would put "%>" or "<%" in an
input string is because they are a baddie, so you'll want to ban
their IP with extreme prejudice because it makes good sense to
do so.

Hypocrite.
Cupcake.

Oct 4 '06 #33

P: n/a
Victor wrote:
>>Well, the only reason why someone would put "%>" or "<%" in an
input string is because they are a baddie, so you'll want to ban
their IP with extreme prejudice because it makes good sense to
do so.

Hypocrite.

Cupcake.
"Hypocrite" is germane to the discussion because it directly addresses the
fact that you used both "<%" and "%>" while asserting there was no
legitimate justification for doing so. "Cupcake" is off-topic.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 4 '06 #34

P: n/a
"Dave Anderson" wrote...
Victor wrote:
>Well, the only reason why someone would put "%>" or "<%" in an
input string is because they are a baddie, so you'll want to ban
their IP with extreme prejudice because it makes good sense to
do so.

Hypocrite.
Cupcake.

"Hypocrite" is germane to the discussion because it directly addresses the
fact that you used both "<%" and "%>" while asserting there was no
legitimate justification for doing so. "Cupcake" is off-topic.
Hey, Dave, unless you haven't noticed I'm not typing this into a form field where there
is no justifiable reason for those delimiters, I'm typing it into a newsgroup where
there is a justifiable reason for the deliminters.

And "Cupcake" is perfectly on-topic for your behavior, bucko.

Oct 4 '06 #35

P: n/a
Victor wrote:
Hey, Dave, unless you haven't noticed I'm not typing this into
a form field where there is no justifiable reason for those
delimiters, I'm typing it into a newsgroup where there is a
justifiable reason for the deliminters.
So you believe such strings are not legitimate uses for users who post to
this group via web interfaces?
And "Cupcake" is perfectly on-topic for your behavior, bucko.
How, exactly, does it relate to "need bullet proof input validator"?

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Oct 4 '06 #36

P: n/a
SLH
dont you all just love these battles of wits from people with way too much
time on their hands?
hey while we're at it why dont we discuss the pros and cons of bottom or top
posting?
and why its fine for millions to top post in email, but when it comes to a
newsgroup conversation
it somehow becomes way too complicated to scroll to the bottom and read up!
LOL

or howzabout the REAL old timers that get all bent when you posy html
content to a newsgroup? now theres a funny one.
since theres not a server or client on the planet that has a problem with
html for the past 200 years!

people make me laugh

"Dave Anderson" <NY**********@spammotel.comwrote in message
news:e$**************@TK2MSFTNGP04.phx.gbl...
Victor wrote:
>Hey, Dave, unless you haven't noticed I'm not typing this into
a form field where there is no justifiable reason for those
delimiters, I'm typing it into a newsgroup where there is a
justifiable reason for the deliminters.

So you believe such strings are not legitimate uses for users who post to
this group via web interfaces?
>And "Cupcake" is perfectly on-topic for your behavior, bucko.

How, exactly, does it relate to "need bullet proof input validator"?

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms.

Oct 4 '06 #37

P: n/a

Victor wrote:
"Dave Anderson" wrote...
Victor wrote:
>>Well, the only reason why someone would put "%>" or "<%" in an
>>input string is because they are a baddie, so you'll want to ban
>>their IP with extreme prejudice because it makes good sense to
>>do so.
>>
>Hypocrite.
>
Cupcake.
"Hypocrite" is germane to the discussion because it directly addresses the
fact that you used both "<%" and "%>" while asserting there was no
legitimate justification for doing so. "Cupcake" is off-topic.

Hey, Dave, unless you haven't noticed I'm not typing this into a form field where there
is no justifiable reason for those delimiters, I'm typing it into a newsgroup where
there is a justifiable reason for the deliminters.
If you had used Google groups or any of the other web interfaces to
Usenet rather than OE, and they subscribed to your suggested policy,
you wouldn't have been able to do so.
--
Mike Brind

Oct 4 '06 #38

P: n/a
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
>
"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
..
>>
However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures.

Access does in fact have stored procedures.
Access does NOT in fact have stored procedures. It has saved queries.
Stored procedures are something else entirely.

--
Mike Brind
Oct 5 '06 #39

P: n/a
SLH
ah yes... luckily for me you have a serious OCD problem and couldnt let that
go, even though you knew EXACTLY what i meant.


"Mike Brind" <pa*******@hotmail.comwrote in message
news:%2****************@TK2MSFTNGP06.phx.gbl...
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
>>
"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
.
>>>
However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures.

Access does in fact have stored procedures.

Access does NOT in fact have stored procedures. It has saved queries.
Stored procedures are something else entirely.

--
Mike Brind

Oct 5 '06 #40

P: n/a
"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
"Mike Brind" <pa*******@hotmail.comwrote in message
news:%2****************@TK2MSFTNGP06.phx.gbl...
>"SLH" <SL*@SLH.SLHwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
>>>
"Dave Anderson" <NY**********@spammotel.comwrote in message
news:12*************@corp.supernews.com...
.
>>>>
However, I haven't got a clue about preventing SQL injection in Access,
since it does not have stored procedures.

Access does in fact have stored procedures.

Access does NOT in fact have stored procedures. It has saved queries.
Stored procedures are something else entirely.
ah yes... luckily for me you have a serious OCD problem and couldnt let
that go, even though you knew EXACTLY what i meant.

Oh, please. Get over yourself.

I corrected your factual inaccuracy for the benefit of others who come to
this group genuinely interested in learning something. They might not know
EXACTLY what you mean.

That kind of correction goes on all the time in this group, and other
technical groups where accuracy in terminology is important. No one else
gets touchy about it.

--
Mike Brind
Oct 5 '06 #41

P: n/a
"SLH" wrote...
ah yes... luckily for me you have a serious OCD problem and couldnt let that
go, even though you knew EXACTLY what i meant.
If you can't behave like a professional, SLH, you have no business being on this group.

Oct 22 '06 #42

P: n/a
little slow on responding to this thread dontcha think?
must be really bored
"Victor" <vi*@vic.comwrote in message
news:eC**************@TK2MSFTNGP04.phx.gbl...
"SLH" wrote...
>ah yes... luckily for me you have a serious OCD problem and couldnt let
that
go, even though you knew EXACTLY what i meant.

If you can't behave like a professional, SLH, you have no business being
on this group.



Oct 24 '06 #43

P: n/a
Awwwwwwwww....

Did cha miss me, cupcake? ;)

Vic
"AD man" wrote...
little slow on responding to this thread dontcha think?
must be really bored
"Victor" wrote...
"SLH" wrote...
ah yes... luckily for me you have a serious OCD problem and couldnt let
that
go, even though you knew EXACTLY what i meant.
If you can't behave like a professional, SLH, you have no business being
on this group.

Oct 27 '06 #44

This discussion thread is closed

Replies have been disabled for this discussion.