OT: Can you all suggest a good book that would give a better
understanding on regular expression programming?
Thanks
JLW
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006 15:52
To: [email protected]
Subject: Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to validate
both from the server and the client. The server validation being
more
reliable than the client. This is a well adopted paradigm and Dean
helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be
used to attack a web site as a way to change data that would alter
the
normal behavior of the application.
Dean is very security conscious through profession and paranoia,
which
is not a bad thing. In the normal development process, it is always
recommended to consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability
to perform a SQL injection attack is to use the <cfqueryparam> or
<cfprocparam> tag when inserting data. These tags will throw
exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean
present application security again. I attended oen of his
presentation before at ACFUG and it was a good primer for many types
of attacks.
Cheers
On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Say you want to find your string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
Thanks! The piece that I was missing was the not (^) :)
Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
filters out all the unwanted characters. What does "{min},{max}" do?
Mischa.
actually he would need this:
rereplace(string, "[^a-fA-F0-9]", "", all);
On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
rereplace(string, "[^A-F0-9]", "", all);
But if you're trying to do data validation, why wouldn't you throw
out any data that doesn't match the regex [A-F0-9]{min,max}?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
I can figure out how to remove a number of disallowed characters
from a string, but what if I want to include only a-f and 0-9 and
discard everything else?
so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
if a user supplies E97152C6CF1DD198DE9;hackcode;
it is supposed to return: E97152C6CF1DD198DE9accde
Is that possible with a single regex? Or will I have to cycle
through the string, and replace every character that doesn't match
[a-f]|[0-9] with nothing?
Thanks!
Mischa,
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa For more info, see
http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
Steven Ross
web application & interface developer http://www.zerium.com [phone]
404-488-4364
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
------------------------------------------------------------- <
Mischa Uppelschoten
The Banker's Exchange, Inc.
2020 Hills Avenue NW
Atlanta, GA 30318
Phone: (404) 605-0100 ext. 10
Fax: (404) 355-7930
Web: www.BankersX.com
Follow this link for Instant Web Chat:
http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa For more info, see
http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
<cf_payne />
http://cfpayne.wordpress.com/
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
