Flyzone wrote:
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection)
I daresay that is a wrong and therefore potentially dangerous solution. The
SQL injection attack *cannot* be prevented by storing the data encoded in
the database, but it has to take place before storing the data in the
database, when passing the arguments to the (server-side) database
modification feature, by properly escaping some delimiter characters in the
query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_esca pe_string().
http://php.net/mysql_real_escape_string
have some special char that block the javascript execution (i think
is unicode char).
What would "unicode char" be? See below.
So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.
ISTM your problem is that you are trying to fix the issues that have arisen
because you have been implementing a wrong and potentially dangerous
solution. And that you are apparently unable to spell the English pronoun
`I' properly.
Until now i used:
re = /\$|,|`|\'|\||\\ |\!|\./g;
Eeek.
var re = /[!$',.`|]/g;
There is no variable required anyway, you can use the RegExp literal as
argument as it is:
return str.replace(re, "");
return str.replace(/[!$',.`|]/g, "");
But is impossible to put all chars;
It is possible: /[\u0000-\uffff]/g
Depending on what you mean by "all", it may be possible to specify other
character ranges. But I think either would be unnecessary overkill here.
http://developer.mozilla.org/en/docs...ar_expressions
does exist any function that detect if a char is unicode or plain text,
or a paste special?
No. Firstly, it is a misconception of yours to believe that Unicode
characters were not plain text, and that there would be "paste specials".
Secondly, all strings are stored internally using the UTF-16LE encoding from
JavaScript 1.3, ECMAScript edition 3 forward, and so they must represent
characters in the Unicode character set. Whether some of those characters
are also part of other character sets, most notably that supported by the
7-bit US-ASCII encoding, is irrelevant.
http://en.wikipedia.org/wiki/Unicode
Thirdly, ECMAScript implementations are Unicode-safe from edition 3 forward.
That includes identifiers. So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval(), in which case you should not use eval() or escape e.g.
"\n" with "\\n", respectively.
Like I said, you should forego the idea of encoding all the information in
your database completely (unless there are further security requirements to
consider) and properly escape your storing query string instead.
HTH
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee