#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    27
    Rep Power
    0

    Allowing a slash in a form for half address


    Hey everyone,

    I need to allow half addresses in a form, but need to make sure to limit the use of slashes for injection reasons. The current regex (java) for my address field is:

    Code:
    ^[\\\w----_\\\-~'\\\.#]+(\\\s[\\\w----_\\\-~'\\\.#]+)*$
    What I was thinking about changing it to is:

    Code:
    ^[\\\w----_\\\-~'\\\.#(\\\d\\\/\\\d)]+(\\\s[\\\w----_\\\-~'\\\.#(\\\d\\\/\\\d)]+)*$
    I'm not very experienced with regular expressions and was wondering if someone who is would be willing to comment if there's a better way to accomplish this or if this is ok.
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    27
    Rep Power
    0
    Update: I tried testing that out but unfortunately it won't do. While it allows for slashes, it allows them in places that it shouldn't, such as 666 Candy/and Drive

    Stuck just now so any help would be greatly appreciated.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Hi,

    You're using the character class [...] wrong. It can only be used for single characters (hence the name), not for complete expressions. So the expression "(\d/\d)" will be interpreted as the sequence of "(", "\d", "/", "\d" again and ")".

    But I think this is going in the wrong direction, anyway. Never try to filter "dangerous" characters. Instead, use the appropriate escaping function.

    This reminds me of a joke about a bank, which had a webform saying something like: Your username mustn't contain the words "DROP", "ALTER" etc.

    Apart from that, your pattern ---- looks kind of random to me. What is this good for? I mean, there are obviously more "foreign characters" than this.
    The 6 worst sins of security How to (properly) access a MySQL database with PHP

    Why cant I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    27
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    You're using the character class [...] wrong. It can only be used for single characters (hence the name), not for complete expressions. So the expression "(\d/\d)" will be interpreted as the sequence of "(", "\d", "/", "\d" again and ")".

    But I think this is going in the wrong direction, anyway. Never try to filter "dangerous" characters. Instead, use the appropriate escaping function.

    This reminds me of a joke about a bank, which had a webform saying something like: Your username mustn't contain the words "DROP", "ALTER" etc.

    Apart from that, your pattern ---- looks kind of random to me. What is this good for? I mean, there are obviously more "foreign characters" than this.
    I'm actually just working on someone else's code and trying to add the ability to use a slash. The webteam where I work has had so much turnover that there isn't anyone here who worked on the site originally, so I'm hesitant to delve into the back-end java. This regex is actually just defined in a .properties file so I figured it would be easier to just modify it to allow slashes as long as it's in the form "digit slash digit" so that's what I'm going for.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    OK, I see.

    But which kind of "injection" do you want to prevent with restricting the slashes?

    If there's no security reason for this, I'd just stuff the slash into the character classes. This pattern is nonsense, anyway. For example, I may type in "________", but I'm not allowed to type in "Some street 123" (because of the double space).

    Well, if you still insist on your pattern, you could implement it with:
    Code:
    ^(\\\d+/\\\d+|[\\\w----_\\\-~'\\\.#]+)(\\\s[\\\w----_\\\-~'\\\.#]+)*$
    But be aware that I just corrected your example, if have no idea if this is what you're supposed to do.
    The 6 worst sins of security How to (properly) access a MySQL database with PHP

    Why cant I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo