Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: Filtering input

  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    251
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Filtering input

    Discovered a problem with my submission of data to a database.
    The problem lies with the punctuation characters that are submitted; some files become un-edittable.
    Planning to set up a function to catch certain characters.

    My question: Which characters should I identify as "bad"?

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,910
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    Presumably any characters which must be escaped if they are to be interpreted as literals.

    E.g. /\.[] () and so forth.

  • #3
    Regular Coder
    Join Date
    Jan 2006
    Posts
    251
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question

    For clarification.
    I see, characters which have meaning to the database and languages used.

    Would it be better to have JavaScript or PHP filter out such attacks.
    PHP seems best, in the event that the user has JS turned off.
    But doesn't that risk the server stability since it would be performing the evaluation?

    Thanks

  • #4
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,910
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    It is best to filter both client-side with JavaScript and also server-side - as you say, JavaScript might be turned off.

    There is no problem here - you will be using regular expressions
    to filter out unwanted characters which as you say are those
    which have meaning to the database and languages used.

    Example:-
    tmpStr = tmpStr.replace (/\-/g, ""); /// remove hyphens
    tmpStr = tmpStr.replace (/\//g, ""); /// remove forward slashes

    or possibly the other way round:-

    tmpStr = tmpStr.replace (/[^0-9A-Z\s\-\'\"]/gi,""); /// remove anything which is not a digit, a letter (ignoring case), a space, a hyphen, a single quote or a double quote (or whatever you require).

  • #5
    Regular Coder
    Join Date
    Jan 2006
    Posts
    251
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up

    Philip M,

    Thank you.
    The code would have been difficult to round-up, understand and then write.
    I would not have known to search for the following: g i / ^
    (For those reading: http://www.w3schools.com/jsref/jsref_replace.asp)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •