When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles [1.x] [2.0]
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips
Search

Sections:
Book Reviews
Sample Chapters
Commonly Asked Message Board Questions
Headlines from ASPWire.com
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
Web Hosts
XML Info
Information:
Advertise
Feedback
Author an Article
Technology Jobs



















internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
ASP ASP.NET ASP FAQs Message Board Feedback ASP Jobs
Print this page.

.Net Developer
Professional Technical Resources
US-WA-Bellingham

Justtechjobs.com Post A Job | Post A Resume

Published: Thursday, December 07, 2000

Determining if a String has Certain Substrings, Part 2

  • Read Part 1

    • In Part 1 we looked at a number of helper function for determining if any offending substrings exist in a string. In this part, we'll look at these helper function in action and look at some enhancements.

    - continued -

    The below code adds six illegal substrings to objDictViolations, a Dictionary object, via the AddViolation subroutine we examined earlier. Next, a check is made to see if a user-entered string contains any of these substrings; if it does, a list of offending substrings are displayed. 

    'Create a dictionary object
Dim objDictViolations
Set objDictViolations = Server.CreateObject("Scripting.Dictionary")
  
'Assign offending substrings to dictionary object
AddViolation objDictViolations, "<html>"
AddViolation objDictViolations, "</html>"
AddViolation objDictViolations, "<body>"
AddViolation objDictViolations, "</body>"
AddViolation objDictViolations, "<script"
AddViolation objDictViolations, "<table"

'Read in a user-entered string.
Dim strCheck
strCheck = Request("string")

If CheckStringForViolations(strCheck, objDictViolations) then
  Response.Write "<b>The following unallowed substrings were found " & _
                 "in your input text:</b><br>"
  
  'Replace < with &lt; and > with &gt;
  Dim strResults
  strResults = ListViolations(objDictViolations)
  strResults = Replace(strResults, "<", "<")
  strResults = Replace(strResults, ">", ">")
  Response.Write strResults & "<p>"
Else
  Response.Write "<b>No violations were found in your input text!</b>"
End If
    [View the live demo!]

    Note what the above code is trying to do. It basically is attempting to preclude the user from entering in certain HTML strings... hrmm... but what if we have a clever visitor who tries something like < script ... (note the space between the < and the word script. Gadzooks! This will slip by and will serve as an HTML script block when someone views the user's output through an HTML page! Shoot, that's exactly what we were trying to avoid!

    Wouldn't it be neat if we could use regular expressions instead? That way, we could specify an illegal regular expression like <(\s)*script, meaning, "Hey, if you find a less than character followed by zero or more whitespace characters, followed by "script," then this is illegal. (For more information on regular expressions be sure to read the articles at the Regular Expressions Article Index!)

    A new helper function will handle this nicely for us: 

    Function CheckStringForViolationsRegExp(strString, ByRef objDict)
  'Determines if the string strString has any violations
  Dim bolViolations
  bolViolations = False
    
  Dim objRegExp
  Set objRegExp = New Regexp
    
  objRegExp.IgnoreCase = True
  objRegExp.Global = True
    
  Dim strKey
  For Each strKey in objDict
    objRegExp.Pattern = strKey
    If objRegExp.Test(strString) then
      bolViolations = True
      objDict(strKey) = True
    End If
  Next   
    
  CheckStringForViolationsRegExp = bolViolations  
End Function

    Note that in this function we create an instance of the Regexp object and use the Test method in the For Each ... Next loop to determine if the offending pattern is found in the passed-in string strString. Keep in mind that each element in the Dictionary object that we create needs to be an offending regular expression pattern, not an offending substring. Regular expressions have certain reserved characters (like the ?). If you want to include a literal question mark in an offending pattern, you need to precede it with a backslash: \?.

    With this new function, we can create a new, more powerful example: 

    'Add offending regular expression patterns
AddViolation objDictViolations, "<(\s)*html(\s)*>"
AddViolation objDictViolations, ""
AddViolation objDictViolations, "<(\s)*body(\s)*>"
AddViolation objDictViolations, "<(\s)*/body(\s)*>"
AddViolation objDictViolations, "<(\s)*script"
AddViolation objDictViolations, "<(\s)*table"
  
Dim strCheck, strKey
strCheck = Request("string")
  
If Len(strCheck) > 0 then
  If CheckStringForViolationsRegExp(strCheck, objDictViolations) then
    'Offending patterns found...
  Else
    'No offending patterns found...
  End If
End If
    [View the live demo!]

    That about wraps up this article! Note there are some possible enhancements. First off, the ListViolations helper function kind of displays some ugly values. If you'd like to create some clever code to handle this, feel free to, and send it to me and if its makes the grade I will post it in this article! :-) Also, it would be nice to have a Reset helper function that simply iterated through each element of a passed-in Dictionary object and set all of its values back to False. Ah, too many ideas, too little time!

    Happy Programming!

    Windows Internet Technology | ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article



    JupiterOnlineMedia

    internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

    Jupitermedia Corporate Info


    Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

    Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers