allowing only specific characters in input

Question

Hello,
My projects were auditted for security and it was found a
logged in user (only) could hack my programs because I was not
being careful to keep certain characters from being input, not just
pointy brackets and pound signs. I am now told to do no client side
checking.

I am thinking to define an allowable character list to
checking each input box character by character.

What is a faster and more efficient way than looping through
each input value's characters 1 by 1 and using find() and to check
if those characters are in the list of good characters?

Thanks.

Anonymous · Answer

If you feel you can make use of it, this might be a place to start:

[^-_,\.@a-zA-Z0-9\s]

I use this reg exp as part of a parameter to an refindnocase function inside a little udf I wrote to scrub user input. It's not the entire expression, and I don't feel comfortable simply posting the whole udf (not trying to be mysterious, but it's part of our online security, after all, and is the property of my employer).

I think your approach of defining allowable characters, instead of trying to define non-allowable ones, makes a great deal of sense and is the approach that seems to be widely recommended. That's what I use the expression above to do...if the character ain't in that set, it gets deleted from the input string. It can extract a price even from an innocent string, though...note that if a user inputs "O'Brien" it'll come through as "OBrien" which for my purposes is no more than a minor inconvenience. YMMV.

If that code makes no sense, spend an hour reading up on Reg Expressions and you'll get it.

Bob's advice to become familiar with cfqueryparam is, of course, excellent.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded