View Full Version : Filtering input

05-09-2006, 08:13 PM
Discovered a problem with my submission of data to a database.
The problem lies with the punctuation characters that are submitted; some files become un-edittable.
Planning to set up a function to catch certain characters.

My question: Which characters should I identify as "bad"?

Philip M
05-10-2006, 08:54 AM
Presumably any characters which must be escaped if they are to be interpreted as literals.

E.g. /\.[] () and so forth.

05-12-2006, 06:07 PM
For clarification.
I see, characters which have meaning to the database and languages used.

Would it be better to have JavaScript or PHP filter out such attacks.
PHP seems best, in the event that the user has JS turned off.
But doesn't that risk the server stability since it would be performing the evaluation?


Philip M
05-12-2006, 07:52 PM
It is best to filter both client-side with JavaScript and also server-side - as you say, JavaScript might be turned off.

There is no problem here - you will be using regular expressions
to filter out unwanted characters which as you say are those
which have meaning to the database and languages used.

tmpStr = tmpStr.replace (/\-/g, ""); /// remove hyphens
tmpStr = tmpStr.replace (/\//g, ""); /// remove forward slashes

or possibly the other way round:-

tmpStr = tmpStr.replace (/[^0-9A-Z\s\-\'\"]/gi,""); /// remove anything which is not a digit, a letter (ignoring case), a space, a hyphen, a single quote or a double quote (or whatever you require).

05-15-2006, 11:04 PM
Philip M,

Thank you.
The code would have been difficult to round-up, understand and then write.
I would not have known to search for the following: g i / ^
(For those reading: http://www.w3schools.com/jsref/jsref_replace.asp)