users using &, ", ', and other chars in input fields

[Michael Hill]

I have a general question about how people generally tend to deal with
users data that they enter.

As an example users enter double quotes in a text field surrounding a
specific piece of text they want to hi-lite and then it barfs during
the oracle insert step because the string is not properly delimited.

Another example is where the ampersand causes trouble when used on an
xml page so provisions are made to insert it into the table
using the ascii equavalent & . But the field is only 25 characters
so when a string with 25 characters that has an ampersand is being
input and we change the ampersand to the ascii equavalent we now have
more then 25 characters and update fails beacuse we have
too many characters. We could truncate them before the insert, or we
could write some code to deal with them onthe client.

Others copy and paste from word documents into a text field and in it
there are hidden formatting fields like bullets.

The users barf and complain about the application, but what we have here
is bad data.

How do most handle these?

Mike

 

[McKirahan]

I have a general question about how people generally tend to deal with
users data that they enter.

I use something like the following; watch for word-wrap.


function validate() {
var form = document.forms[0];
var regs = "'\n\nInvalid characters: \" & '";
var regx = /\"|\&|\'/
for (var i=0; i<form.elements.length; i++) {
if (regx.test(form.elements.value)) {
alert("Invalid character(s) in '" + form.elements.name +
regs);
return false;
}
}
return true;
}

 

[Silvio Bierman]

I have a general question about how people generally tend to deal with
users data that they enter.

As an example users enter double quotes in a text field surrounding a
specific piece of text they want to hi-lite and then it barfs during
the oracle insert step because the string is not properly delimited.

Another example is where the ampersand causes trouble when used on an
xml page so provisions are made to insert it into the table
using the ascii equavalent &amp; . But the field is only 25 characters
so when a string with 25 characters that has an ampersand is being
input and we change the ampersand to the ascii equavalent we now have
more then 25 characters and update fails beacuse we have
too many characters. We could truncate them before the insert, or we
could write some code to deal with them onthe client.

Others copy and paste from word documents into a text field and in it
there are hidden formatting fields like bullets.

The users barf and complain about the application, but what we have here
is bad data.

How do most handle these?

Mike

Your Oracle problems come from fiddling with sql text and text literals. Use
prepared statements and statement parameters to prevent such problems. That
means do not use

"insert into tab(col) values ('" + colVal + "')"

but use

"insert into tab(col) values (?)" (JDBC syntax) or something similar for
OCI.

When generating HTML pages/forms containing data from the database you
should always be aware of invalid characters in the data. Use a proper
escaping function to handle that. I would advise escaping to ASCII only
instead of UTF-8 but that is a matter of taste.

Regards,

Silvio Bierman

 

[McKirahan]

So you are saying strip out the characters even if the users cry, bitch,
moan, and do other baby like stuff?

Mike

Would you rather have your application "cry, bitch, moan, and do other baby
like stuff?"

You could always substitute restricted characters before using (e.g.
storing) them...

 

[Lasse Reichstein Nielsen]

Would you rather have your application "cry, bitch, moan, and do other baby
like stuff?"

Ofcourse not, it should handle all possible inputs gracefully.
Especially sine client-side validation will not always be able to
filter out problematic inputs.

You could always substitute restricted characters before using (e.g.
storing) them...

That would be the prettier choice.

Your application has problems with certain characters. You should solve
that instead of passing the problem on to the unsuspecting user. It's
not their fault, and they really don't need to know.

/L