ASP Clean User Input

ASP Best Practices

Simple method for sanitizing user input through web forms.


Date : 2006-04-05
As webmasters we learn to love the visitors to our website. They are our bread and butter, they are the reason we keep tweaking every aspect of our site looking for the perfect balance of features and useability to keep them comming back. It can be very hard for us to think of them as cunning, malicious attackers but for security sake that is exactly how we need to think of anyone who is going to enter data on a webform.

For that matter if we are consuming any feeds from other sources it would be a good idea to put these through a validation process as well to guard against malicious code that was inserted into someone elses site.

There are 2 main kinds of attacks that we can fall prey to with user inputed data. The first can cause a security breach on our server and allow unsafe code to be executed. This can result in information being stollen, deleted, or otherwise compromised. The second issue can arise with user inputed data that is displayed somewhere on our site for other visitors to see. This data can have javascript inserted into them that can compromise the security of our visitors systems and it would appear the attack came from our site. This kind of attack can come from forum, article, or even comment insertion forms.

All of the issues with user input can be solved by validating the data that they input. Sometimes these methods are called "Cleaning", or "Sanitizing" the input, but of course we don't want to think of our visitors as dirty so we will call it validating. Of course actual data validation would include checkign the content type and length but we'll get to that.

First then Lets look at a fast, simple function for removing all possible malicious characters from input we receive from anywhere.

Code:
function cleanInput(str)
  dim re
  set re = new RegExp
  re.Pattern = "[^0-9a-zA-Z\s]"
  re.Global = True
  cleanInput = re.Replace(str, "")
  set re = nothing
end function


This function will accept a string and remove all characters except alphanumeric and spaces. This would tend to wreck havock on articles, or forum submission where a lack of punctuation could be looked at as bad form. The great thing about this function is all you have to do is add the characters into the Regular Expression match that you want to allow and all other characters will be removed.

Once you have your data all nice and shiny you can validate the content with the validateInput(str, vType) function.

So put this function into practice for your visitors input and go back to loving your visitors.

Comments :

williaj 2006-05-17 #9

I found that re.Pattern needs to be "[^0-9a-zA-z\s]" or spaces will be removed.

Other than that, it was a great beginners introduction for me, a real newbie at using regular expressions.

Ann Williams

BeachBum 2006-05-18 #10

You're right Ann, There is supposed to be a \\s in there but the crazy code keeps removing the backslashes... it must think I'm trying to inject something dangerous.

  • Search For Articles