Hi everyone,
I just realized that it's so important to validate each string, I mean
'each' before you insert data from asp page into database.
I guess some customers just copy data from some electronic document and
paste into
form field which it will probably mess up the program.
for example, we have a customer who wants to enter AH12345 into one of our
fields,  it appears АН12345 in hidden field of our asp page, but it displayed
AH12345 to the customer, but our program failed because of the data does fit
into char field in sql database.
I don't know in reality, how other companies deal with those kind of thing.
Do I have write our own regExp to validate each string, since we do need to
allow
apostrophe or "-" in first name or last name.
Can you shed a light on me?

c676228 wrote:
Show quoteHide quoteIt depends on your goal. If your goal is solely to make sure the length
of the string is not too great, then you do not need a regular
expression for that. Simply use the Len function (if using vbscript on
the server) to validate the string before inserting it into the database
table.

However, given your desire to prevent apostrophes and hyphens, it sounds
as if you also have the laudable goal of preventing SQL Injection. You
can stop a good portion of SQL Injection attacks by validating your
data. However, experienced hacker will have no problem defeating your
defences if all you do is prevent apostrophes and hyphens. The only sure
way to prevent SQL Injection is to stop using dynamic sql, i.e., stop
concatenating user inputs into strings containing sql statements. Use
parameters instead. Since you are using SQL Server (I think), my
preference would be to use stored procedures using the
"procedure-as-connection-method" technique to pass the parameter values:
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en

However, if you don't want to go down the learning path required for
stored procedures, you can still use parameters via ODBC parameter
markers. See:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e


You still should validate your data in server-side code, if only to
detect hack attempts (you don't really want to store garbage in your
database, do you?
Unfortunately, I'm no regexp expert, so someone will need to jump in
here. This google search result may contain some examples:
http://groups.google.com/groups?sourceid=gd&rls=GGLD,GGLD:2005-37,GGLD:en&hl=en&oe=UTF-8&q=%22SQL%20Injection%22%20validation%20regular%20expressions&sa=N&tab=xg

Just be aware that you will need to learn how to write these regexp
validations yourself: some data fields will need to store strings that
could look like SQL INjection attempts (O'Malley), so you will need to
at least be able to modify the examples you are given.

c676228 wrote:
Show quoteHide quoteBuilding on what Bob says, RegExp is just one tool in the box.
Sometimes it's the best one to use, but more often others, such as the
built-in functions (Len(), CLng(), Replace(), Instr() etc [VBScript])
will do what you want and are easier to work with.

The important thing to remember is to never rely on clientside
validation (not that you said you are).  Clientside validation acts
solely as a convenience to 90% of your users (those that have
javascript enabled), but is easily defeated.

Specifically dealing with RegExp, once you get the hang of it, it's not
too difficult to use.  There are also libraries of pre-written
Expressions that you can utilise as well eg regexlib.com

Thank you, Mike and Bob. I think I need to validate each form field before
insert into database, using RegExp and some functions provided by the system
like Mike mentioned.
Show quoteHide quote

random record with SELECT TOP does NOT work
FORM and javascript.location
how to choose a random record from a database
Server.Transfer and Load Balanced Environments
Need a good Book