473,387 Members | 1,510 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > regular expressions on server side

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Regular expressions on server side

I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks
Jul 31 '08 #1
7 1677
On Jul 31, 6:33*am, "Igor" <nomyn...@gmail.comwrote:
I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks
Generally speaking, client side validation is used to prevent
unnecessary posts to your server, you don't want to depend on it to
save your sight from sql injection attacks as you've pointed out. I'm
assuming you are using the textbox you are wanting to validate
somewhere in your backend code, and where you are using it you need to
validate the input there. The classes you need for Regex validation
are in the System.Text.RegularExpressions namespace.

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/
Jul 31 '08 #2
On Jul 31, 2:33*pm, "Igor" <nomyn...@gmail.comwrote:
I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?
ASP.NET validation controls do validation on the server; they also try
to do additional validation on client where possible (to save a
roundtrip), but even if the user circumvents this, server-side
validation will still kick in.
Jul 31 '08 #3
Use parameters in your SqlCommand and then you wont get SQL injection.
Jul 31 '08 #4
On Jul 31, 6:33*am, "Igor" <nomyn...@gmail.comwrote:
I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks

Yes, it's possible

how?
using the very same Regex :)
as a side note, beside checking your values for incorrect entries you
should use parameterized queries:
http://aspnet101.com/aspnet101/tutorials.aspx?id=1
Jul 31 '08 #5
Peter Morris wrote:
Use parameters in your SqlCommand and then you wont get SQL injection.
Not so. Using parameters makes it less likely that you'll suffer from SQL
injection, but it's still possible, depending on the actual SQL that's being
run. The same is true of stored procedures - using sprocs goes a long way
to preventing SQL injection, but it's not a magic bullet - even a sproc can
be subject to SQL injection depending on what it actually does (e.g. if it
makes use of sp_executesql internally).

-cd
Jul 31 '08 #6
Peter Morris wrote:
Use parameters in your SqlCommand and then you wont get SQL injection.
He still need to validate against XSS.

Arne
Aug 1 '08 #7
Carl Daniel [VC++ MVP] wrote:
Peter Morris wrote:
>Use parameters in your SqlCommand and then you wont get SQL injection.

Not so. Using parameters makes it less likely that you'll suffer from SQL
injection, but it's still possible, depending on the actual SQL that's being
run.
If a text being assigned to a parameter is not interpreted
as a value but is interpreted as SQL then I will consider it
a bug in the library or the database not in the app code.

Do you have any example of the problem (that you feel you can post) ?
The same is true of stored procedures - using sprocs goes a long way
to preventing SQL injection, but it's not a magic bullet - even a sproc can
be subject to SQL injection depending on what it actually does (e.g. if it
makes use of sp_executesql internally).
I would say that SP does nothing at all against SQL injection. It
is just that approx. 99.999% of SP calls are done with parameters.

Arne
Aug 1 '08 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
Regular Expression Valhalla
by: Holden Caulfield | last post by:
Hello! Does anyone know a good archive for all different types of Regular expressions? I am 90% done a website and the last 10% is putting validation on over 100 fields. They range from...
Javascript
7
Regular Expressions Challenge
by: Patient Guy | last post by:
Coding patterns for regular expressions is completely unintuitive, as far as I can see. I have been trying to write script that produces an array of attribute components within an HTML element. ...
Javascript
3
Regular expressions and commas
by: Robert Scheer | last post by:
Hi. I have a regularexpression validator control on a page. This regular expression validates a textbox to accept only numbers and commas: validationexpression="*" I am trying to modify this...
ASP.NET
18
Simple Regular Expression need
by: Q. John Chen | last post by:
I have Vidation Controls First One: Simple exluce certain special characters: say no a or b or c in the string: * Second One: I required date be entered in "MM/DD/YYYY" format: //+4 How...
ASP.NET
8
Regular Expressions
by: P K | last post by:
I have an XML in which I have to comment out the <responseopt> tag the tags between this tag should not be commented I plan to use regular expressions The tags looks like this <responseopt...
ASP.NET
5
?: in regular expression
by: deepak.rathore | last post by:
Hi , I have seen lot of reg. expession with ?: For dummy eg (((XXX)ddd)ff) The above expression is modified as (?:(?:(XXX)ddd)ff) Although both the above expr. gives same result....
Javascript
34
builtin regular expressions?
by: Antoine De Groote | last post by:
Hello, Can anybody tell me the reason(s) why regular expressions are not built into Python like it is the case with Ruby and I believe Perl? Like for example in the following Ruby code line =...
Python
20
chunk1978
Regular Expressions Issue...
by: chunk1978 | last post by:
hi everyone... i'm preparing to complete a validated form through client-side javascript with regular expressions... and yes the form will also be validated server-side as well... anyway, my regex...
Javascript
3
Valid regular expression not working with validator control
by: Andrew Jocelyn | last post by:
Hi I get a JavaScript error with this expression when using the RegExpValidator. Also if I switch off client script the server side code validator finds a match regardless of the entered string....
ASP.NET
7
Regular expressions on server side
by: Igor | last post by:
I need to check some text box but if I put validation control than it is on client site and some user can change regular expression and make sql injection. I need to check this string at server...
C# / C Sharp
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!