Monday, February 21, 2011

Validating User Input to Avoid Attacks

To protect against vulnerabilities such as script injection and cross-site scripting, user input can be verified and rejected, or an application can remove harmful characters and continue processing. This topic provides example code that uses regular expressions to verify user input.

The regular expression, ^[\w\.:\?&=/]*$, searches for a complete string (from beginning to end) that contains only the following characters:

  • alphanumeric or underscore (_)

  • periods (.)

  • colons (:)

  • question marks (?)

  • ampersands (&)

  • equal signs (=)

  • forward slashes (/)

<%@ LANGUAGE="VBScript" %>
<% Response.CodePage = 1252
If ValidateInput(MyUrl) Then
Response.Redirect (myURL)
Response.Write("URL was invalid.")
End If
Function ValidateInput(sInput)
Dim reValid Set reValid = New RegExp
reValid.Pattern = "^[\w\.:\?&=/]*$"
reValid.MultiLine = False
reValid.Global = True
ValidateInput = reValid.
End Function %>

No comments:

Post a Comment