By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,738 Members | 1,730 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,738 IT Pros & Developers. It's quick & easy.

users using &, ", ', and other chars in input fields

P: n/a
I have a general question about how people generally tend to deal with
users data that they enter.

As an example users enter double quotes in a text field surrounding a
specific piece of text they want to hi-lite and then it barfs during
the oracle insert step because the string is not properly delimited.

Another example is where the ampersand causes trouble when used on an
xml page so provisions are made to insert it into the table
using the ascii equavalent & . But the field is only 25 characters
so when a string with 25 characters that has an ampersand is being
input and we change the ampersand to the ascii equavalent we now have
more then 25 characters and update fails beacuse we have
too many characters. We could truncate them before the insert, or we
could write some code to deal with them onthe client.

Others copy and paste from word documents into a text field and in it
there are hidden formatting fields like bullets.

The users barf and complain about the application, but what we have here
is bad data.

How do most handle these?

Mike

Jul 20 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
"Michael Hill" <hi****@ram.lmtas.lmco.com> wrote in message
news:40***************@ram.lmtas.lmco.com...
I have a general question about how people generally tend to deal with
users data that they enter.

I use something like the following; watch for word-wrap.
function validate() {
var form = document.forms[0];
var regs = "'\n\nInvalid characters: \" & '";
var regx = /\"|\&|\'/
for (var i=0; i<form.elements.length; i++) {
if (regx.test(form.elements[i].value)) {
alert("Invalid character(s) in '" + form.elements[i].name +
regs);
return false;
}
}
return true;
}

Jul 20 '05 #2

P: n/a

"Michael Hill" <hi****@ram.lmtas.lmco.com> wrote in message
news:40***************@ram.lmtas.lmco.com...
I have a general question about how people generally tend to deal with
users data that they enter.

As an example users enter double quotes in a text field surrounding a
specific piece of text they want to hi-lite and then it barfs during
the oracle insert step because the string is not properly delimited.

Another example is where the ampersand causes trouble when used on an
xml page so provisions are made to insert it into the table
using the ascii equavalent &amp; . But the field is only 25 characters
so when a string with 25 characters that has an ampersand is being
input and we change the ampersand to the ascii equavalent we now have
more then 25 characters and update fails beacuse we have
too many characters. We could truncate them before the insert, or we
could write some code to deal with them onthe client.

Others copy and paste from word documents into a text field and in it
there are hidden formatting fields like bullets.

The users barf and complain about the application, but what we have here
is bad data.

How do most handle these?

Mike


Your Oracle problems come from fiddling with sql text and text literals. Use
prepared statements and statement parameters to prevent such problems. That
means do not use

"insert into tab(col) values ('" + colVal + "')"

but use

"insert into tab(col) values (?)" (JDBC syntax) or something similar for
OCI.

When generating HTML pages/forms containing data from the database you
should always be aware of invalid characters in the data. Use a proper
escaping function to handle that. I would advise escaping to ASCII only
instead of UTF-8 but that is a matter of taste.

Regards,

Silvio Bierman
Jul 20 '05 #3

P: n/a
"McKirahan" <Ne**@McKirahan.com> wrote in message
news:B7iSb.140326$sv6.763636@attbi_s52...
"Michael Hill" <hi****@ram.lmtas.lmco.com> wrote in message
news:40***************@ram.lmtas.lmco.com...
I have a general question about how people generally tend to deal with
users data that they enter.

I use something like the following; watch for word-wrap.
function validate() {
var form = document.forms[0];
var regs = "'\n\nInvalid characters: \" & '";
var regx = /\"|\&|\'/
for (var i=0; i<form.elements.length; i++) {
if (regx.test(form.elements[i].value)) {
alert("Invalid character(s) in '" + form.elements[i].name +
regs);
return false;
}
}
return true;
}


So you are saying strip out the characters even if the users cry, bitch,
moan, and do other baby like stuff?

Mike
Jul 20 '05 #4

P: n/a
"Michael Hill" <hi****@charter.net> wrote in message
news:10*************@corp.supernews.com...
"McKirahan" <Ne**@McKirahan.com> wrote in message
news:B7iSb.140326$sv6.763636@attbi_s52...
"Michael Hill" <hi****@ram.lmtas.lmco.com> wrote in message
news:40***************@ram.lmtas.lmco.com...
I have a general question about how people generally tend to deal with
users data that they enter.

So you are saying strip out the characters even if the users cry, bitch,
moan, and do other baby like stuff?

Mike


Would you rather have your application "cry, bitch, moan, and do other baby
like stuff?"

You could always substitute restricted characters before using (e.g.
storing) them...
Jul 20 '05 #5

P: n/a
"McKirahan" <Ne**@McKirahan.com> writes:
Would you rather have your application "cry, bitch, moan, and do other baby
like stuff?"
Ofcourse not, it should handle all possible inputs gracefully.
Especially sine client-side validation will not always be able to
filter out problematic inputs.
You could always substitute restricted characters before using (e.g.
storing) them...


That would be the prettier choice.

Your application has problems with certain characters. You should solve
that instead of passing the problem on to the unsuspecting user. It's
not their fault, and they really don't need to know.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.