do you have your own regEXp to validate your string

[c676228]

Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears ÐÐ12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

 

[Bob Barrows [MVP]]

Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document
and paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one
of our fields, it appears ??12345 in hidden field of our asp page,
but it displayed AH12345 to the customer, but our program failed
because of the data does fit into char field in sql database.
I don't know in reality, how other companies deal with those kind of
thing. Do I have write our own regExp to validate each string, since
we do need to allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

It depends on your goal. If your goal is solely to make sure the length
of the string is not too great, then you do not need a regular
expression for that. Simply use the Len function (if using vbscript on
the server) to validate the string before inserting it into the database
table.

However, given your desire to prevent apostrophes and hyphens, it sounds
as if you also have the laudable goal of preventing SQL Injection. You
can stop a good portion of SQL Injection attacks by validating your
data. However, experienced hacker will have no problem defeating your
defences if all you do is prevent apostrophes and hyphens. The only sure
way to prevent SQL Injection is to stop using dynamic sql, i.e., stop
concatenating user inputs into strings containing sql statements. Use
parameters instead. Since you are using SQL Server (I think), my
preference would be to use stored procedures using the
"procedure-as-connection-method" technique to pass the parameter values:
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en

However, if you don't want to go down the learning path required for
stored procedures, you can still use parameters via ODBC parameter
markers. See:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e


You still should validate your data in server-side code, if only to
detect hack attempts (you don't really want to store garbage in your
database, do you?
Unfortunately, I'm no regexp expert, so someone will need to jump in
here. This google search result may contain some examples:
http://groups.google.com/groups?sou...n" validation regular expressions&sa=N&tab=xg

Just be aware that you will need to learn how to write these regexp
validations yourself: some data fields will need to store strings that
could look like SQL INjection attempts (O'Malley), so you will need to
at least be able to modify the examples you are given.

 

[Mike Brind]

Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears ÐÐ12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

Building on what Bob says, RegExp is just one tool in the box.
Sometimes it's the best one to use, but more often others, such as the
built-in functions (Len(), CLng(), Replace(), Instr() etc [VBScript])
will do what you want and are easier to work with.

The important thing to remember is to never rely on clientside
validation (not that you said you are). Clientside validation acts
solely as a convenience to 90% of your users (those that have
javascript enabled), but is easily defeated.

Specifically dealing with RegExp, once you get the hang of it, it's not
too difficult to use. There are also libraries of pre-written
Expressions that you can utilise as well eg regexlib.com

 

[c676228]

Thank you, Mike and Bob. I think I need to validate each form field before
insert into database, using RegExp and some functions provided by the system
like Mike mentioned.
--
Betty

Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields, it appears ÐÐ12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

Building on what Bob says, RegExp is just one tool in the box.
Sometimes it's the best one to use, but more often others, such as the
built-in functions (Len(), CLng(), Replace(), Instr() etc [VBScript])
will do what you want and are easier to work with.

The important thing to remember is to never rely on clientside
validation (not that you said you are). Clientside validation acts
solely as a convenience to 90% of your users (those that have
javascript enabled), but is easily defeated.

Specifically dealing with RegExp, once you get the hang of it, it's not
too difficult to use. There are also libraries of pre-written
Expressions that you can utilise as well eg regexlib.com