Re: [ACFUG Discuss] Regex help
Not if his string is case-sensitive, which it appears to be. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [T]he people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country. --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials On Aug 7, 2006, at 12:45 PM, Steven Ross wrote: actually he would need this: rereplace(string, [^a-fA-F0-9], , all); On 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote:rereplace(string, [^A-F0-9], , all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -- Steven Ross web application interface developer http://www.zerium.com [phone] 404-488-4364 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Regex help
Steven beat me to that one. I was just typing that. Also, it depends on how you implement your form as well. If you use HTML forms and non-flash form with regex validation, then you have _javascript_ that can be turned off. Now if you implement a flash form, I believe the validation stays internal and not rendered as _javascript_. I believe the flash form SWF valdiation cannot be turned off from the browser's VM. Correct me if I am wrong Dean.TeddyOn 8/7/06, Steven Ross [EMAIL PROTECTED] wrote: actually he would need this:rereplace(string, [^a-fA-F0-9], , all); On 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote:rereplace(string, [^A-F0-9], , all); But if you're trying to do data validation, why wouldn't you throwout any data that doesn't match the regex [A-F0-9]{min,max}?-dhsDean H. Saxe, CISSP, CEH [EMAIL PROTECTED]If liberty means anything at all, it means the right to tell peoplewhat they do not want to hear. -- George Orwell, 1945On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglistsArchive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com- -- Steven Ross web application interface developer http://www.zerium.com[phone] 404-488-4364 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - -- cf_payne /http://cfpayne.wordpress.com/ - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink -
Re: re[2]: [ACFUG Discuss] Regex help
Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: Thanks! The piece that I was missing was the not (^) :) Dean, this expression rereplace(mystring, [^A-F0-9], , all) filters out all the unwanted characters. What does {min},{max} do? Mischa. actually he would need this: rereplace(string, [^a-fA-F0-9], , all); On 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote: rereplace(string, [^A-F0-9], , all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -- Steven Ross web application interface developer http://www.zerium.com [phone] 404-488-4364 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - Mischa Uppelschoten The Banker's Exchange, Inc. 2020 Hills Avenue NW Atlanta, GA 30318 Phone:(404) 605-0100 ext. 10 Fax:(404) 355-7930 Web:www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application.Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the cfqueryparam or cfprocparam tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. CheersOn 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote: Say you want to find your string and its 10 to 12 characters in thehexadecimal character set.You can validate your data with:[A-F0-9]{10,12}This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12.Its a positive way of doing data validation on yourstring.-dhsDean H. Saxe, CISSP, CEH[EMAIL PROTECTED]If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell, 1945On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: Thanks! The piece that I was missing was the not (^) :) Dean, this _expression_ rereplace(mystring, [^A-F0-9], , all) filters out all the unwanted characters. What does {min},{max} do? Mischa. actually he would need this: rereplace(string, [^a-fA-F0-9], , all); On 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote: rereplace(string, [^A-F0-9], , all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -- Steven Ross web application interface developer http://www.zerium.com [phone] 404-488-4364 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - Mischa Uppelschoten The Banker's Exchange, Inc. 2020 Hills Avenue NW Atlanta, GA30318 Phone:(404) 605-0100 ext. 10 Fax:(404) 355-7930 Web:www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com --To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserformFor more info, see http://www.acfug.org/mailinglistsArchive @ http://www.mail-archive.com/discussion%40acfug.org/List hosted by
RE: [ACFUG Discuss] Change Management Options Debate.
Jeremy, do you have a blog? That would make a great blog post. Of course, you could point folks to do a google search where they'd find still others who've taken the time to write. But at least for CF folks, they may appreciate hearing of your experience/opinion. /charlie http://www.carehart.org/blog/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy AllenSent: Monday, August 07, 2006 3:48 PMTo: discussion@acfug.orgSubject: Re: [ACFUG Discuss] Change Management Options Debate. THe points for SVN go like this:Versioning is much more sane and manageable. When I first started using SVN it was much more bearable to me. Your entire codebase can be encapsulated in one SVN version number instead of each file having its own version. When I say version 543 of the codebase with SVN there is no ambiguity about the state of the system when I say that. CVS has no easy concept of referring to the contents of the repository as a whole with a version number. That to me is what makes SVN so much better. SVN is easier to manage. This is a personal opinion but my experiences bear this one out. The command line for SVN is much more intuitive. SVN allows for you to delete and rearrange branches. This is HUGE. Deleting folders in CVS is plain not possible. CVSs delete functionality is just lacking in every way. Directories have revision numbers too. Everything in the system behaves consistently and there are no surprises or differences to deal with with different types of entities in the system as there is with CVS. SVN has no special functionality for branching, merging, or tagging. It is all implemented using the same functionality so how you arrange your repository is up to you. The cost of these operations in SVN is constant O(1) which is great compared to CVS and its slowness with many of these operations, especially on larger codebases. That is all I can remember off the top of my head. I know there are a couple of other good points somewhere in there that favor SVN. Sure a lot of these are small things but add them up and it makes SVN much better to work with. So if you are starting from scratch why bother with CVS? Unless you have very specific interoperability requirements or you are already really experienced with CVS from a management perspective I recommend using SVN. Its not just about solving "issues" with CVS. The system is also a bit more cohesive overall. And I promise you that with a team of 10 developers that consistently write code every week you WILL have to deal with these "issues" in CVS. They are common and frequently annoying problems not just edge case things that come up once in a while. That said if you already have a lot of experience with CVS or have some specific requirements SVN may not work out. If this is starting from scratch and you have not managed CVS or SVN before SVN wins quite easily in my mind. Why use an inferior system if you have no requirements holding you to it? Jeremy On 8/6/06, Charlie Arehart [EMAIL PROTECTED] wrote: And a good book of exploration (which also discusses the differences andbenefits over CVS) is "Pragmatic Version Control with Subversion", which Ihave obtained from the publisher and am one chapter from finishing and then will write up a review. Someone else had asked me at the meeting aboutborrowing it, but after him, you could take it, Doug. Sounds like you're inno hurry, right? :-)/charliehttp://www.carehart.org/blog/-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CameronChildress Sent: Sunday, August 06, 2006 4:00 PMTo: discussion@acfug.orgSubject: Re: [ACFUG Discuss] Change Management Options Debate.On 8/6/06, Douglas Knudsen [EMAIL PROTECTED] wrote: righto.So, in a team of 10 developers that don't seem to run into these 'issues' in CVS that SVN solves, it doesn't seem very economical to go through changing, eh? All things held equal, I'm always a proponent of using the tools your teamis most familiar and proficient at.If there aren't any compelling reasonsfor you to change, then don't.It's just like the age old CF vs [insert other language here] argument.No reason to change horses midstream if both horses get you there just fine,and the development teams know one better than the other.If it ain'tbroke, don't fix it.I would, however, thoroughly explore the differences and advantages of one over the other before dismissing it.Once that due diligence is over, makethe educated decision.-Cameron-To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserformFor more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/List hosted by http://www.fusionlink.com-
RE: [ACFUG Discuss] Change Management Options Debate.
This would be a good subject for a Wednesday meeting! I know I could use a primer! Robert P. Reil Managing Director, Motorcyclecarbs.com, Inc. 4292 Country Garden Walk NW Kennesaw, Ga. 30152 Office 770-974-8851 Fax 770-974-8852 www.motorcyclecarbs.com From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 8:42 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Change Management Options Debate. thank you Jeremy! As Charlie pointed out, it would be a good blog post to get consumed. Robert, we kind of hijakced your thread, but this is some good fudge for your version control sundae you will be eating! I made a couple in line comments below. I'll add one thing I really hate about CVS, you can't export a module from teh repository to a existing directory where you exported the module previously. CVS will not overwrite files. This forced us to checkout working copies on our prod server. No biggie, we are a intranet only team, but a pain. DK On 8/7/06, Jeremy Allen [EMAIL PROTECTED] wrote: THe points for SVN go like this: Versioning is much more sane and manageable. When I first started using SVN it was much more bearable to me. Your entire codebase can be encapsulated in one SVN version number instead of each file having its own version. When I say version 543 of the codebase with SVN there is no ambiguity about the state of the system when I say that. CVS has no easy concept of referring to the contents of the repository as a whole with a version number. That to me is what makes SVN so much better. We use tags in CVS for this. Works fine, but certainly doesn't tie in with the version of a file. This is a interesting concept. This means a file that was created as teh first file in your tree and never edited for 5 years still has the version listed at the max of all file versions, eh? SVN is easier to manage. This is a personal opinion but my experiences bear this one out. The command line for SVN is much more intuitive. SVN allows for you to delete and rearrange branches. This is HUGE. Deleting folders in CVS is plain not possible. CVSs delete functionality is just lacking in every way. yes, this is a major PITA for sure in CVS. Most clients hide this issue by 'pruning' empty dirs. Directories have revision numbers too. Everything in the system behaves consistently and there are no surprises or differences to deal with with different types of entities in the system as there is with CVS. SVN has no special functionality for branching, merging, or tagging. It is all implemented using the same functionality so how you arrange your repository is up to you. The cost of these operations in SVN is constant O(1) which is great compared to CVS and its slowness with many of these operations, especially on larger codebases. branching and merging is a major PITA, luckily we rarely do it. The team of 10 here usually works on seperate projects. That is all I can remember off the top of my head. I know there are a couple of other good points somewhere in there that favor SVN. Sure a lot of these are small things but add them up and it makes SVN much better to work with. So if you are starting from scratch why bother with CVS? Unless you have very specific interoperability requirements or you are already really experienced with CVS from a management perspective I recommend using SVN. Its not just about solving issues with CVS. The system is also a bit more cohesive overall. And I promise you that with a team of 10 developers that consistently write code every week you WILL have to deal with these issues in CVS. They are common and frequently annoying problems not just edge case things that come up once in a while. That said if you already have a lot of experience with CVS or have some specific requirements SVN may not work out. If this is starting from scratch and you have not managed CVS or SVN before SVN wins quite easily in my mind. Why use an inferior system if you have no requirements holding you to it? Jeremy On 8/6/06, Charlie Arehart [EMAIL PROTECTED] wrote: And a good book of exploration (which also discusses the differences and benefits over CVS) is Pragmatic Version Control with Subversion, which I have obtained from the publisher and am one chapter from finishing and then will write up a review. Someone else had asked me at the meeting about borrowing it, but after him, you could take it, Doug. Sounds like you're in no hurry, right? :-) /charlie http://www.carehart.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Cameron Childress Sent: Sunday, August 06, 2006 4:00 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Change Management Options Debate. On 8/6/06, Douglas Knudsen [EMAIL PROTECTED] wrote: righto.So, in a team of 10 developers that don't seem to run into these 'issues' in CVS that SVN