|
 |
asp_databases thread: Little hope for Validation
Message #1 by phillipl@s... on Mon, 21 May 2001 14:29:37
|
|
Would like to spend some time developing an include for all my forms.
One that validates form data.
Does anyone have one already written? I mean, what are all the characters
that can be posted via form that will hose up my database if any? Like
for instance the % sign..will return ALL records in my database. Stuff
like this I would like to stop users from doing. Anyone know ALL
these "magic" characters that I should parse and format before submitting
to the database?
If I could do it in Javascript I'm sure it would be faster etc etc..but
want to try it in vbscript first.
Actually I'll take it in any form!
You are the bomb!
Thanks!
Larry
Message #2 by "Charles Feduke" <webmaster@r...> on Mon, 21 May 2001 10:46:48 -0400
|
|
I have a nice JavaScript .js that I wrote to do client side validation. I
don't have any checks for %, which is a wildcard character when using LIKE
in SQL and I do all single quote replacements server side (for example,
"O'Conner" becomes "O''Conner").
To avoid "%", just don't use LIKE, use = instead. I think LIKE has
slightly more overhead because it does support wildcard characters.
To use the client-side validation, just do:
<SCRIPT LANGUAGE="JavaScript" SRC="directory/validate.js"></SCRIPT>
in your header and something like this:
<SCRIPT LANGUAGE="JavaScript">
<!--
var sArray = new Array(
"someform.lastname:last name",
"someform.firstname:first name",
"someform.ssn:social security number"
);
-->
</SCRIPT>
<FORM METHOD="POST" ACTION="someasp.asp" onSubmit="return
bValidate(sArray);">
<!-- the lastname, firstname, ssn fields would appear in here -->
</FORM>
validate.js:
-
/*
validation routines
Charles Feduke
March 9, 2001
performs form validation based on an array passed
*/
function sTrim(sString)
{
// trims off trailing spaces on right side
if (sString.length > 0)
{
for (var i = sString.length; i >= 0; i--)
{
if (sString.charAt(i) != " ")
{
return sString.substring(0, i);
}
}
}
return sString;
}
function bIsValid(objName)
{
// checks to see if the data in a single object is not blank
var sString = new String(sTrim(eval("document." + objName +
".value")));
if (sString.length > 0)
{
// success!
return true;
}
else
{
// failure
return false;
}
}
function bIsNumber(objName)
{
// checks to see if a currency is a number
var sString = eval("document." + objName + ".value");
// replace
sString = sString.replace(/\$/, '');
sString = sString.replace(/,/, '');
sString = sString.replace(/ /, '');
if (isNaN(sString))
{
return false;
}
return true;
}
function bValidate(sArray)
{
/* validates a list of items. The array should appear in the
following format:
formName.objectName:actual name (i.e. "user.last:last name")
will return false if it fails, set focus on the object and
popup an alert box
*/
// loop thru each element in the array
var sCurrent = new Array();
for (var i = 0; i <= sArray.length - 1; i++)
{
sCurrent = sArray[i].split(":");
if (bIsValid(sCurrent[0]) == false)
{
// failure
alert("You must complete the " + sCurrent[1] + "
field before submitting this form.");
eval("document." + sCurrent[0] + ".focus()");
return false;
}
}
// success
return true;
}
function bValidate2(sArray1, sArray2)
{
/* validates a list of items, similiar to bValidate but processes
sArray2 with bIsNumber */
var sCurrent = new Array();
// loop thru each element in the array looking for missing required
fields
for (var i = 0; i <= sArray1.length - 1; i++)
{
sCurrent = sArray1[i].split(":");
if (bIsValid(sCurrent[0]) == false)
{
// failure
alert("You must complete the " + sCurrent[1] + "
field before submitting this form.");
eval("document." + sCurrent[0] + ".focus()");
return false;
}
}
// loop looking for NaNs
for (var i = 0; i <= sArray2.length - 1; i++)
{
sCurrent = sArray2[i].split(":");
if (bIsNumber(sCurrent[0]) == false)
{
// failure
alert("You must enter a valid number in the " +
sCurrent[1] + " field before submitting this form.");
eval("document." + sCurrent[0] + ".focus()");
return false;
}
}
// success
return true;
}
-
Hope that helps.
? Chuck
> -----Original Message-----
> From: phillipl@s... [mailto:phillipl@s...]
> Sent: Monday, May 21, 2001 2:30 PM
> To: ASP Databases
> Subject: [asp_databases] Little hope for Validation
>
>
> Would like to spend some time developing an include for all my forms.
> One that validates form data.
> Does anyone have one already written? I mean, what are all the
> characters
> that can be posted via form that will hose up my database if any? Like
> for instance the % sign..will return ALL records in my database. Stuff
> like this I would like to stop users from doing. Anyone know ALL
> these "magic" characters that I should parse and format before submitting
> to the database?
>
> If I could do it in Javascript I'm sure it would be faster etc etc..but
> want to try it in vbscript first.
>
> Actually I'll take it in any form!
>
> You are the bomb!
>
> Thanks!
>
> Larry
>
Message #3 by phillipl@s... on Mon, 21 May 2001 17:57:13
|
|
Yes it helps.
Well I here ya on the "LIKE".
Ah javascript! Wow, still waiting on my wrox javascript book to show up!
Thanks alot!
Larry
> I have a nice JavaScript .js that I wrote to do client side
validation. I
> don't have any checks for %, which is a wildcard character when using
LIKE
> in SQL and I do all single quote replacements server side (for example,
> "O'Conner" becomes "O''Conner").
>
> To avoid "%", just don't use LIKE, use = instead. I think LIKE has
> slightly more overhead because it does support wildcard characters.
>
> To use the client-side validation, just do:
>
> <SCRIPT LANGUAGE="JavaScript" SRC="directory/validate.js"></SCRIPT>
>
> in your header and something like this:
>
> <SCRIPT LANGUAGE="JavaScript">
> <!--
> var sArray = new Array(
> "someform.lastname:last name",
> "someform.firstname:first name",
> "someform.ssn:social security number"
> );
> -->
> </SCRIPT>
> <FORM METHOD="POST" ACTION="someasp.asp" onSubmit="return
> bValidate(sArray);">
> <!-- the lastname, firstname, ssn fields would appear in here -->
> </FORM>
>
> validate.js:
> -
> /*
> validation routines
> Charles Feduke
> March 9, 2001
>
> performs form validation based on an array passed
> */
>
> function sTrim(sString)
> {
> // trims off trailing spaces on right side
> if (sString.length > 0)
> {
> for (var i = sString.length; i >= 0; i--)
> {
> if (sString.charAt(i) != " ")
> {
> return sString.substring(0, i);
> }
> }
> }
> return sString;
> }
>
> function bIsValid(objName)
> {
> // checks to see if the data in a single object is not blank
> var sString = new String(sTrim(eval("document." + objName +
> ".value")));
> if (sString.length > 0)
> {
> // success!
> return true;
> }
> else
> {
> // failure
> return false;
> }
> }
>
> function bIsNumber(objName)
> {
> // checks to see if a currency is a number
> var sString = eval("document." + objName + ".value");
> // replace
> sString = sString.replace(/\$/, '');
> sString = sString.replace(/,/, '');
> sString = sString.replace(/ /, '');
> if (isNaN(sString))
> {
> return false;
> }
> return true;
> }
>
> function bValidate(sArray)
> {
> /* validates a list of items. The array should appear in the
> following format:
> formName.objectName:actual name (i.e. "user.last:last
name")
> will return false if it fails, set focus on the object
and
> popup an alert box
> */
> // loop thru each element in the array
> var sCurrent = new Array();
> for (var i = 0; i <= sArray.length - 1; i++)
> {
> sCurrent = sArray[i].split(":");
> if (bIsValid(sCurrent[0]) == false)
> {
> // failure
> alert("You must complete the " + sCurrent[1] + "
> field before submitting this form.");
> eval("document." + sCurrent[0] + ".focus()");
> return false;
> }
> }
> // success
> return true;
> }
>
> function bValidate2(sArray1, sArray2)
> {
> /* validates a list of items, similiar to bValidate but processes
> sArray2 with bIsNumber */
> var sCurrent = new Array();
>
> // loop thru each element in the array looking for missing
required
> fields
> for (var i = 0; i <= sArray1.length - 1; i++)
> {
> sCurrent = sArray1[i].split(":");
> if (bIsValid(sCurrent[0]) == false)
> {
> // failure
> alert("You must complete the " + sCurrent[1] + "
> field before submitting this form.");
> eval("document." + sCurrent[0] + ".focus()");
> return false;
> }
> }
> // loop looking for NaNs
> for (var i = 0; i <= sArray2.length - 1; i++)
> {
> sCurrent = sArray2[i].split(":");
> if (bIsNumber(sCurrent[0]) == false)
> {
> // failure
> alert("You must enter a valid number in the " +
> sCurrent[1] + " field before submitting this form.");
> eval("document." + sCurrent[0] + ".focus()");
> return false;
> }
> }
> // success
> return true;
> }
> -
>
> Hope that helps.
>
> ? Chuck
>
> > -----Original Message-----
> > From: phillipl@s... [mailto:phillipl@s...]
> > Sent: Monday, May 21, 2001 2:30 PM
> > To: ASP Databases
> > Subject: [asp_databases] Little hope for Validation
> >
> >
> > Would like to spend some time developing an include for all my forms.
> > One that validates form data.
> > Does anyone have one already written? I mean, what are all the
> > characters
> > that can be posted via form that will hose up my database if any? Like
> > for instance the % sign..will return ALL records in my database. Stuff
> > like this I would like to stop users from doing. Anyone know ALL
> > these "magic" characters that I should parse and format before
submitting
> > to the database?
> >
> > If I could do it in Javascript I'm sure it would be faster etc etc..but
> > want to try it in vbscript first.
> >
> > Actually I'll take it in any form!
> >
> > You are the bomb!
> >
> > Thanks!
> >
> > Larry
> >
Message #4 by "Pete Cofrancesco" <pcofran@y...> on Mon, 21 May 2001 19:45:21
|
|
I wouldn't use vbscript for 2 reasons.
1. its not powerful enough to do complex validation.
2. Most validation scripts are written in Perl or JavaScript. So you'll
have a hard time finding any pre written code on the web.
You usually don't have to worry about special characters because a
database can store most text. Validation scripts are used to prevent
someone from entering incorrect data. For example if you ask them to enter
their phone number, you might want to check if they entered a 7 digit
number (without dashes). Some fields only accept correctly formated data
or don't accept empty string values like, Date fields or they will return
an error. Javacript validation is written to prevent the Form from being
submitte if any fields are incorrect.
O'reilly, JavaScript the Def. Guide has an excellent chapter on this
subject Chapter 10 Pattern Matching with Regular Expressions. Its good to
have a basic understanding of Regular Expressions,so you can tweak a
prewritten script to match your needs.
Hope this helps.
-pete
> Would like to spend some time developing an include for all my forms.
> One that validates form data.
> Does anyone have one already written? I mean, what are all the
characters
> that can be posted via form that will hose up my database if any? Like
> for instance the % sign..will return ALL records in my database. Stuff
> like this I would like to stop users from doing. Anyone know ALL
> these "magic" characters that I should parse and format before
submitting
> to the database?
>
> If I could do it in Javascript I'm sure it would be faster etc etc..but
> want to try it in vbscript first.
>
> Actually I'll take it in any form!
>
> You are the bomb!
>
> Thanks!
>
Message #5 by "Bo Johansen" <p2p.wrox.com@f...> on Mon, 21 May 2001 23:08:26 +0200
|
|
Function unQuote(strTekst)
strTekst =3D Trim(strTekst)
unQuote =3D Replace(strTekst,"'","''")
End Function
Response.Write unQuote(Request.Form("Tekst"))
Well thats the only one im currently doing, but if your really hot on
controlling a lot more :
<%
Dim Password, NewPassword, RetypeNewPassword, YourId, Fejl,
FejlNewPasswordsign, FejlPasswordShort
Password =3D Request.Querystring("Password")
NewPassword =3D Request.Querystring("NewPassword")
ReTypeNewPassword =3D Request.Querystring("ReTypeNewPassword")
YourId =3D Request.Querystring("YourId")
Fejl =3D ("0")
FejlNewPasswordsign =3D ("0")
FejlPasswordShort =3D ("0")
%>
<%
if instr(NewPassword ,"'") Or _
instr(NewPassword ,"&") Or _
instr(NewPassword ,",") Or _
instr(NewPassword ,";") Or _
instr(NewPassword ,"_") Or _
instr(NewPassword ,"=3D") Or _
instr(NewPassword ," ") Or _
instr(lcase(NewPassword) ,"select ") Or _
instr(lcase(NewPassword) ," where ") Or _
instr(lcase(NewPassword) ," or ") Or _
instr(lcase(NewPassword) ," by ") Or _
instr(lcase(NewPassword) ," insert ") Or _
instr(lcase(NewPassword) ," update ") Or _
instr(lcase(NewPassword) ," and ") Then
FejlNewPasswordsign =3D FejlNewPasswordsign + 1
End If
if instr(RetypeNewPassword ,"'") Or _
instr(RetypeNewPassword ,"&") Or _
instr(RetypeNewPassword ,",") Or _
instr(RetypeNewPassword ,";") Or _
instr(RetypeNewPassword ,"_") Or _
instr(RetypeNewPassword ,"=3D") Or _
instr(RetypeNewPassword ," ") Or _
instr(lcase(RetypeNewPassword) ,"select ") Or _
instr(lcase(RetypeNewPassword) ," where ") Or _
instr(lcase(RetypeNewPassword) ," or ") Or _
instr(lcase(RetypeNewPassword) ," by ") Or _
instr(lcase(RetypeNewPassword) ," insert ") Or _
instr(lcase(RetypeNewPassword) ," update ") Or _
instr(lcase(RetypeNewPassword) ," and ") Then
FejlNewPasswordsign =3D FejlNewPasswordsign + 1
End If
If NewPassword =3D ("") Then
FejlNewPassword =3D "T"
Fejl =3D Fejl + 1
End If
If ReTypeNewPassword =3D ("") Then
FejlReTypeNewPassword =3D "T"
Fejl =3D Fejl + 1
End If
Dim PassLenght
PassLenght =3D len(NewPassword)
If Not PassLenght =3D> 8 Then
FejlPasswordShort =3D FejlPasswordShort + 1
End If
If NewPassword <> ReTypeNewPassword Then
FejlNewPasswordIkkeIdentiske=3D "T"
Fejl =3D Fejl + 1
End If
%>
<%
If Fejl > 0 Or FejlNewPasswordsign > 0 Or FejlPasswordShort > 0 Then
Response.Redirect "activate_account.asp?FejlNewPassword=3D" &
FejlNewPassword & _
"&FejlReTypeNewPassword=3D" & FejlRetypeNewPassword & _
"&FejlNewPasswordIkkeIdentiske=3D" & FejlNewPasswordIkkeIdentiske &_
"&YourId=3D" & YourId &_
"&Password=3D" & Password &_
"&FejlNewPasswordsign=3D" & FejlNewPasswordsign & _
"&FejlPasswordShort=3D" & FejlPasswordShort
Else
Set RS =3D conn.Execute ("UPDATE MedlemsInfo SET MedlemsPassword
=3D '" & NewPassword & "', GodkendtAfBruger =3D 'Ja' Where MedlemsIdNr
=3D '" & yourId & "' ")
Set RS1 =3D conn.Execute ("SELECT ForNavn, Efternavn, Email FROM
MedlemsInfo WHERE MedlemsIdNr =3D '" & YourId & "' ")
Set JMail =3D Server.CreateObject("JMail.SMTPMail")
JMail.ServerAdd...........................You got the picture i think
:-))
You can add on as you please
On the form page you can just setup some
Request.Querystring("ErrorValueFromThisCode") to display the errors that
was found on the form page.
<% If Request.Querystring("FejlNewPasswordIkkeIdentiske") =3D "T" Then
Response.Write "<Font Color=3D'#FF0000'>Your Password
diddent match. Please retype it.<br></Font>"
End If %>
.
Comments and some of the words are in Danish, buts its so simple that i
think youll understand.
Bo Johansen
----- Original Message -----
From: <phillipl@s...>
To: "ASP Databases" <asp_databases@p...>
Sent: Monday, May 21, 2001 2:29 PM
Subject: [asp_databases] Little hope for Validation
> Would like to spend some time developing an include for all my forms.
> One that validates form data.
> Does anyone have one already written? I mean, what are all the
characters
> that can be posted via form that will hose up my database if any?
Like
> for instance the % sign..will return ALL records in my database.
Stuff
> like this I would like to stop users from doing. Anyone know ALL
> these "magic" characters that I should parse and format before
submitting
> to the database?
>
> If I could do it in Javascript I'm sure it would be faster etc
etc..but
> want to try it in vbscript first.
>
> Actually I'll take it in any form!
>
> You are the bomb!
>
> Thanks!
>
> Larry
> ---
> * Fast, Full-Featured Microsoft=AE Excel Web Reports & Charts!
> A breakthrough in high performance Web application development,
SoftArtisans
> ExcelWriter 1.1 supports native Excel charting, image insertion, and
> advanced functions & formatting. One click generates
presentation-quality
> Excel spreadsheets-and ExcelWriter performs over 100 times faster than
the
> Excel Object. Several editions, including ExcelWriterFREE, are
available.
>
URL:<http://adtracking.wrox.com/track.asp?x=3Dp2p%2Fe%2Fd%26w%2Fsoftart&u
rl=3Dhttp://www.softartisans.com/softartisans/excelwriter.html>
p2p.wrox.com@f...
$subst('Email.Unsub')
>
>
Message #6 by "Ken Schaefer" <ken@a...> on Tue, 22 May 2001 14:24:46 +1000
|
|
www.adOpenStatic.com/resources/code/UIValidation.asp
has some server-side validation code examples. I'm formatting more of mine
to put up as I have time.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: Would like to spend some time developing an include for all my forms.
: One that validates form data.
: Does anyone have one already written? I mean, what are all the characters
: that can be posted via form that will hose up my database if any? Like
: for instance the % sign..will return ALL records in my database. Stuff
: like this I would like to stop users from doing. Anyone know ALL
: these "magic" characters that I should parse and format before submitting
: to the database?
:
: If I could do it in Javascript I'm sure it would be faster etc etc..but
: want to try it in vbscript first.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Message #7 by phillipl@s... on Wed, 23 May 2001 01:51:52
|
|
> This is exactly what I was ment. Thanks! Let me sum up though....
I was pretty misleading on my first.. What I ment was I was stuck
using "LIKE" in my querys because of the data I need to handle.
Furthermore one of the textboxes is used as INPUT into the database, is
later used to build text later on the fly. So having users insert say a
<BR> in the field would mess up the look of the product at run time with
an erroneous Break. So what I simply used was the method below (warning!
not exact code):)
---begin poorly written example-----
stringoftext = Request.Form("thetextbox")
if instr(1,stringoftext,"'") OR _
instr(1,stringoftext,"&") OR _
instr(1,stringoftext,"""") OR _
instr(1,stringoftext,",") OR _
instr(1,stringoftext,"_") OR _
instr(1,stringoftext,"%") OR _
instr(1,stringoftext,"<") OR _
instr(1,stringoftext,">") then
'do something cause I dont like that...etc,etc
response.redirect "startover.asp?error=something about bad text"
else
'input is ok by me,so use it
insertintodatabase = stringoftext
end if
---end example----
Which works fine, no matter how unefficent.
I do know I can handle alot of this in javascript on a one way pass,
instead of two way serverside. But hey...that above looks real simple
comparitively speaking. Take in mind my requirements are a little
different if not simple. My original question should have been worded, if
I have to use "like" in my expression/query what are all the characters
that can bomb the string if text box data is used as a variable in the
actual sql statement. No really..what are all the characters? Can someone
use this unchecked input in such a way to crash my DB or anything (I'm
just paranoid, thats all)
I thank everyone who had such great input!
Thanks ya'll
Larry
Message #8 by "JOHN P. PARLATO" <jparlato@m...> on Tue, 22 May 2001 22:51:50 -0700
|
|
I have a program that I developed that is called the form validator.
It is a vbasic com that can validate any form based on the hidden meta data
in the form.
it has many options as far as the data validation, numeric, zip, phones,
related fields, zip,
min max valeus and lengths an many more. It also allows the persistence of
the
data back to the form, relieving the programmer of much work and database
call.
Formvalidator is live working code in many shops, and is for sale
exclusively from me.
If your interested. Give me a call 404-771-0315.
-----Original Message-----
From: phillipl@s... [mailto:phillipl@s...]
Sent: Monday, May 21, 2001 2:30 PM
To: ASP Databases
Subject: [asp_databases] Little hope for Validation
Would like to spend some time developing an include for all my forms.
One that validates form data.
Does anyone have one already written? I mean, what are all the characters
that can be posted via form that will hose up my database if any? Like
for instance the % sign..will return ALL records in my database. Stuff
like this I would like to stop users from doing. Anyone know ALL
these "magic" characters that I should parse and format before submitting
to the database?
If I could do it in Javascript I'm sure it would be faster etc etc..but
want to try it in vbscript first.
Actually I'll take it in any form!
You are the bomb!
Thanks!
Larry
|
|
|
View Cart
