7 Replies Latest reply on Mar 6, 2007 8:16 AM by ThomasP100

    input validation

    zoidberg84 Level 1
      hello all,

      i have made a form and have done a lot of validation using regular expression and some in built validators like emailValidator however, i am tring to guard against a user entering malicious code or SQL statements. I can only make an expression that will accept ONLY malicious code ... bad times!

      so if someone knows how to either make a new code, or some ActionScript (though i'm a bit pants at that bit), or knows how to make the expression disallow matches instead of accept them ... good times!

      Thanks for any help (and to JLC the God)
        • 1. Re: input validation
          KomputerMan.com Level 1
          If you are using a CF back end you could use the CFQUERYPARAM tag in your INSERT or UPDATE query to eliminate the possibility of SQL injection. As for the front end in Flex I don't know either.

          Have an Ordinary Day...
          KomputerMan ~|:-)
          • 2. Re: input validation
            theLoggerGuy Level 1
            Can you give an example of what you've done - the regular expressions - and the malicious code that you want to reject?
            • 3. Re: input validation
              zoidberg84 Level 1
              well its basically a user input form where users just enter name, address, email style information as well as credit card information. so yeh i use cfc's to make the connection into the database.

              currently i have regular expressions on telephone number, uk postcode, credit card number and email. For the email one i use Flex 2's inbuilt <mx:emailValidator> but for telephone number i use:

              <mx:RegExpValidator id="telNoV" source="{telNoInput}" property="text" expression="^((01)|(02)|(07)|(08))(([1-9][1-9])|([0-9][0-9][0-9]))(([0-9][0-9][0-9][0-9][ 0-9][0-9])|([0-9][0-9][0-9][0-9][0-9][0-9][0-9]))$"/>

              n.b. i've had to use [0-9] loads of times because my Flex program won't let me use [0-9]{6,7} to denote 6 or 7 digits; so i have had to just put in six lots of [0-9]!

              so anyway, the expression above is linked to a "telNoInput" source and will only allow complete matches from the user to the expression. what i want though is if the users data does match the expression it is NOT allowed, so if i have this expression:

              (script)|(&lt;)|(&gt;)|(%3c)|(%3e)|(SELECT)|(UPDATE)|(INSERT)|(DELETE)|(GRANT)|(REVOKE)|(U NION)|(&amp;lt;)|(&amp;gt;)

              and the user tries to do a SELECT statement, Flex will block it!
              • 4. Re: input validation
                theLoggerGuy Level 1
                Okay. I have a long winded answer...

                The nicest way to do this to override the doValidation method and make your own. Something like this:

                package
                {
                import mx.validators.Validator;
                import mx.validators.ValidationResult;

                public class ukPhoneNumberValidator extends Validator
                {
                private var results:Array;

                override protected function doValidation( value: Object ): Array
                {
                results = [ ];
                results = super.doValidation( value );

                if ( value != null )
                {
                // expression looks for a pattern like: nn nn(n) nnnnnn(n)
                var pattern: RegExp = /[\s+]*(0[1278])[\s-]*([0-9]{3,3}|[1-9]{2,2})[\s-]*([0-9]{6,7}).*/;

                if ( value.search( pattern ) == -1 )
                {
                results.push( new ValidationResult( true, null, "illegalPhoneNumber", "This is not a valid UK phone number" ) );
                }
                }

                return results;
                }

                }
                }

                The regex expression I used was a bit less strict than yours, but it allows for spaces between number groups, etc, and you still get three groups of numbers out of it.

                Just invoke as usual in mxml:
                <local:ukPhoneNumberValidator id="telNoV" source="{telNoInput}" property="text" triggerEvent=""/>

                The empty "triggerEvent" method now allows you to control when the box is validated. So for example you can call a method upon a submission and run something like the following:

                private function validatePhoneNumber():void
                {
                var validPhoneNumEvent: ValidationResultEvent = telNoV.validate();

                if ( validPhoneNumEvent.type == ValidationResultEvent.VALID )
                {
                Alert.show("valid");
                }
                else
                {
                Alert.show("invlaid");
                }
                }

                Enjoy
                • 5. Re: input validation
                  Parag_Metha
                  hi

                  how do i call validatePhoneNumber();

                  Thanks,
                  Parag
                  • 6. Re: input validation
                    phi2265 Level 1
                    You could not allow characters like [ or { or *... I had to do a validation for a user signup form. I went through and allowed only the character codes that I wanted, using for loops and charCodeAt... then I realized Flex has a built in control to allow/disallow characters...


                    • 7. Re: input validation
                      ThomasP100
                      Hi Jayson,

                      I have a similar issue at the moment. I want to allow/disallow characters for TextInput controls.
                      Can you elobarate on how you did this? Where can I find the in control to allow/disallow characters that
                      you mentioned.

                      Thanks,
                      Thomas