ASP Clean User Input
ASP Best Practices
Simple method for sanitizing user input through web forms.
Date : 2006-04-05
As webmasters we learn to love the visitors to our website. They are our bread and butter, they are the reason we keep tweaking every aspect of our site looking for the perfect balance of features and useability to keep them comming back. It can be very hard for us to think of them as cunning, malicious attackers but for security sake that is exactly how we need to think of anyone who is going to enter data on a webform.
For that matter if we are consuming any feeds from other sources it would be a good idea to put these through a validation process as well to guard against malicious code that was inserted into someone elses site.
All of the issues with user input can be solved by validating the data that they input. Sometimes these methods are called "Cleaning", or "Sanitizing" the input, but of course we don't want to think of our visitors as dirty so we will call it validating. Of course actual data validation would include checkign the content type and length but we'll get to that.
First then Lets look at a fast, simple function for removing all possible malicious characters from input we receive from anywhere.
set re = new RegExp
re.Pattern = "[^0-9a-zA-Z\s]"
re.Global = True
cleanInput = re.Replace(str, "")
set re = nothing
This function will accept a string and remove all characters except alphanumeric and spaces. This would tend to wreck havock on articles, or forum submission where a lack of punctuation could be looked at as bad form. The great thing about this function is all you have to do is add the characters into the Regular Expression match that you want to allow and all other characters will be removed.
Once you have your data all nice and shiny you can validate the content with the validateInput(str, vType) function.
So put this function into practice for your visitors input and go back to loving your visitors.
I found that re.Pattern needs to be "[^0-9a-zA-z\s]" or spaces will be removed.
Other than that, it was a great beginners introduction for me, a real newbie at using regular expressions.
You're right Ann, There is supposed to be a \\s in there but the crazy code keeps removing the backslashes... it must think I'm trying to inject something dangerous.