Re: [ACFUG Discuss] Regex help

[Dean H. Saxe]

Not if his string is case-sensitive, which it appears to be.

-dhs


Dean H. Saxe, CISSP,  CEH
[EMAIL PROTECTED]
[T]he people can always be brought to the bidding of the leaders.  
This is easy. All you have to do is to tell them they are being  
attacked, and denounce the pacifists for lack of patriotism and  
exposing the country to danger. It works the same in every country.

--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials


On Aug 7, 2006, at 12:45 PM, Steven Ross wrote:


actually he would need this:

rereplace(string, [^a-fA-F0-9], , all);

On 8/7/06, Dean H. Saxe  [EMAIL PROTECTED]  
wrote:rereplace(string, [^A-F0-9], , all);


But if you're trying to do data validation, why wouldn't you throw
out any data that doesn't match the regex [A-F0-9]{min,max}?

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
If liberty means anything at all, it means the right to tell people
what they do not want to hear.
 -- George Orwell, 1945


On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:

 I can figure out how to remove a number of disallowed characters
 from a string, but what if I want to include only a-f and 0-9 and
 discard everything else?

 so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
 if a user supplies E97152C6CF1DD198DE9;hackcode;

 it is supposed to return: E97152C6CF1DD198DE9accde

 Is that possible with a single regex? Or will I have to cycle
 through the string, and replace every character that doesn't match
 [a-f]|[0-9] with nothing?

 Thanks!
 Mischa,



 -
 To unsubscribe from this list, manage your profile @
 http://www.acfug.org?fa
 For more info, see http://www.acfug.org/mailinglists
 Archive @ http://www.mail-archive.com/discussion%40acfug.org/
 List hosted by http://www.fusionlink.com
 -







-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-






--
Steven Ross
web application  interface developer
http://www.zerium.com
[phone] 404-488-4364
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Regex help

[Teddy Payne]

Steven beat me to that one. I was just typing that. Also, it depends on how you implement your form as well. If you use HTML forms and non-flash form with regex validation, then you have _javascript_ that can be turned off. Now if you implement a flash form, I believe the validation stays internal and not rendered as _javascript_. I believe the flash form SWF valdiation cannot be turned off from the browser's VM.
Correct me if I am wrong Dean.TeddyOn 8/7/06, Steven Ross [EMAIL PROTECTED] wrote:
actually he would need this:rereplace(string, [^a-fA-F0-9], , all);
On 8/7/06, Dean H. Saxe 

[EMAIL PROTECTED] wrote:rereplace(string, [^A-F0-9], , all);
But if you're trying to do data validation, why wouldn't you throwout any data that doesn't match the regex [A-F0-9]{min,max}?-dhsDean H. Saxe, CISSP, CEH

[EMAIL PROTECTED]If liberty means anything at all, it means the right to tell peoplewhat they do not want to hear. -- George Orwell, 1945On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
 I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
 if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match
 [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @
 http://www.acfug.org?fa For more info, see 
http://www.acfug.org/mailinglists Archive @ 
http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -

-To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglistsArchive @ 
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com-
-- Steven Ross
web application  interface developer http://www.zerium.com[phone] 404-488-4364



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-


-- cf_payne /http://cfpayne.wordpress.com/



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

Re: re[2]: [ACFUG Discuss] Regex help

[Dean H. Saxe]

Say you want to find your string and its 10 to 12 characters in the  
hexadecimal character set.  You can validate your data with:


[A-F0-9]{10,12}

This will match any hexadecimal number with a minimum of 10 chars and  
a maximum of 12.  Its a positive way of doing data validation on your  
string.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
If liberty means anything at all, it means the right to tell people  
what they do not want to hear.

-- George Orwell, 1945


On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:


Thanks! The piece that I was missing was the not (^) :)


Dean, this expression rereplace(mystring, [^A-F0-9], , all)  
filters out all the unwanted characters. What does {min},{max} do?

Mischa.





actually he would need this:


rereplace(string, [^a-fA-F0-9], , all);


On 8/7/06, Dean H. Saxe  [EMAIL PROTECTED] wrote:
rereplace(string, [^A-F0-9], , all);

But if you're trying to do data validation, why wouldn't you throw
out any data that doesn't match the regex [A-F0-9]{min,max}?

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
If liberty means anything at all, it means the right to tell people
what they do not want to hear.
-- George Orwell, 1945


On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:


I can figure out how to remove a number of disallowed characters
from a string, but what if I want to include only a-f and 0-9 and
discard everything else?

so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
if a user supplies E97152C6CF1DD198DE9;hackcode;

it is supposed to return: E97152C6CF1DD198DE9accde

Is that possible with a single regex? Or will I have to cycle
through the string, and replace every character that doesn't match
[a-f]|[0-9] with nothing?

Thanks!
Mischa,



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-








-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-







--
Steven Ross
web application  interface developer
http://www.zerium.com
[phone] 404-488-4364
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
- 



Mischa Uppelschoten
The Banker's Exchange, Inc.
2020 Hills Avenue NW
Atlanta, GA  30318

Phone:(404) 605-0100 ext. 10
Fax:(404) 355-7930
Web:www.BankersX.com
Follow this link for Instant Web Chat:
http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-








-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: re[2]: [ACFUG Discuss] Regex help

[Teddy Payne]

I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. 
Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application.Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the cfqueryparam or cfprocparam tag when inserting data. These tags will throw exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks.
CheersOn 8/7/06, Dean H. Saxe [EMAIL PROTECTED] wrote:
Say you want to find your string and its 10 to 12 characters in thehexadecimal character set.You can validate your data with:[A-F0-9]{10,12}This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12.Its a positive way of doing data validation on yourstring.-dhsDean H. Saxe, CISSP, CEH[EMAIL PROTECTED]If liberty means anything at all, it means the right to tell people
what they do not want to hear. -- George Orwell, 1945On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: Thanks! The piece that I was missing was the not (^) :)
 Dean, this _expression_ rereplace(mystring, [^A-F0-9], , all) filters out all the unwanted characters. What does {min},{max} do? Mischa.
 actually he would need this: rereplace(string, [^a-fA-F0-9], , all); On 8/7/06, Dean H. Saxe  
[EMAIL PROTECTED] wrote: rereplace(string, [^A-F0-9], , all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}?
 -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] If liberty means anything at all, it means the right to tell people
 what they do not want to hear. -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters
 from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode;
 it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match
 [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @
 http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ 
http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
 - To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ 
http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
 -- Steven Ross web application  interface developer http://www.zerium.com [phone] 404-488-4364
 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform
 For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/
 List hosted by FusionLink -  Mischa Uppelschoten The Banker's Exchange, Inc. 2020 Hills Avenue NW
 Atlanta, GA30318 Phone:(404) 605-0100 ext. 10 Fax:(404) 355-7930 Web:www.BankersX.com Follow this link for Instant Web Chat:
 http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN -
 To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists
 Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com
 --To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserformFor more info, see http://www.acfug.org/mailinglistsArchive @ 
http://www.mail-archive.com/discussion%40acfug.org/List hosted by 

RE: [ACFUG Discuss] Change Management Options Debate.

[Charlie Arehart]

Jeremy, do you have a blog? That would make a great blog 
post. Of course, you could point folks to do a google search where they'd find 
still others who've taken the time to write. But at least for CF folks, they may 
appreciate hearing of your experience/opinion.

/charlie
http://www.carehart.org/blog/



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jeremy AllenSent: Monday, August 07, 2006 3:48 
PMTo: discussion@acfug.orgSubject: Re: [ACFUG Discuss] 
Change Management Options Debate.
THe points for SVN go like this:Versioning is much more sane 
and manageable. When I first started using SVN it was much more bearable to me. 
Your entire codebase can be encapsulated in one SVN version number instead of 
each file having its own version. When I say version 543 of the codebase with 
SVN there is no ambiguity about the state of the system when I say that. CVS has 
no easy concept of referring to the contents of the repository as a whole with a 
version number. That to me is what makes SVN so much better. SVN is 
easier to manage. This is a personal opinion but my experiences bear this one 
out. The command line for SVN is much more intuitive. SVN allows for you 
to delete and rearrange branches. This is HUGE. Deleting folders in CVS is plain 
not possible. CVSs delete functionality is just lacking in every way. 
Directories have revision numbers too. Everything in the system behaves 
consistently and there are no surprises or differences to deal with with 
different types of entities in the system as there is with CVS. SVN has 
no special functionality for branching, merging, or tagging. It is all 
implemented using the same functionality so how you arrange your repository is 
up to you. The cost of these operations in SVN is constant O(1) which is great 
compared to CVS and its slowness with many of these operations, especially on 
larger codebases. That is all I can remember off the top of my head. 
I know there are a couple of other good points somewhere in there that favor 
SVN. Sure a lot of these are small things but add them up and it makes SVN much 
better to work with. So if you are starting from scratch why bother with CVS? 
Unless you have very specific interoperability requirements or you are already 
really experienced with CVS from a management perspective I recommend using SVN. 
Its not just about solving "issues" with CVS. The system is also a bit more 
cohesive overall. And I promise you that with a team of 10 developers that 
consistently write code every week you WILL have to deal with these "issues" in 
CVS. They are common and frequently annoying problems not just edge case things 
that come up once in a while. That said if you already have a lot of 
experience with CVS or have some specific requirements SVN may not work out. If 
this is starting from scratch and you have not managed CVS or SVN before SVN 
wins quite easily in my mind. Why use an inferior system if you have no 
requirements holding you to it? Jeremy
On 8/6/06, Charlie 
Arehart [EMAIL PROTECTED] wrote:
And 
  a good book of exploration (which also discusses the differences 
  andbenefits over CVS) is "Pragmatic Version Control with Subversion", 
  which Ihave obtained from the publisher and am one chapter from finishing 
  and then will write up a review. Someone else had asked me at the meeting 
  aboutborrowing it, but after him, you could take it, Doug. Sounds like 
  you're inno hurry, right? :-)/charliehttp://www.carehart.org/blog/-Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of 
  CameronChildress Sent: Sunday, August 06, 2006 4:00 PMTo: discussion@acfug.orgSubject: Re: 
  [ACFUG Discuss] Change Management Options Debate.On 8/6/06, Douglas 
  Knudsen  
  [EMAIL PROTECTED] wrote: righto.So, in a 
  team of 10 developers that don't seem to run into these 'issues' in 
  CVS that SVN solves, it doesn't seem very economical to go through 
  changing, eh? All things held equal, I'm always a proponent of using 
  the tools your teamis most familiar and proficient at.If there 
  aren't any compelling reasonsfor you to change, then don't.It's 
  just like the age old CF vs [insert other language here] 
  argument.No reason to change horses midstream if both horses 
  get you there just fine,and the development teams know one better than the 
  other.If it ain'tbroke, don't fix it.I would, however, 
  thoroughly explore the differences and advantages of one over the other 
  before dismissing it.Once that due diligence is over, makethe 
  educated 
  decision.-Cameron-To 
  unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserformFor 
  more info, see http://www.acfug.org/mailinglists 
  Archive @ http://www.mail-archive.com/discussion%40acfug.org/List 
  hosted by http://www.fusionlink.com- 
  

RE: [ACFUG Discuss] Change Management Options Debate.

[Robert Reil]

This would be a good subject for a
Wednesday meeting! I know I could use a primer!





Robert P. Reil

Managing Director,

Motorcyclecarbs.com,
Inc.

4292 Country Garden
Walk NW

Kennesaw,
 Ga. 30152

Office 770-974-8851

Fax 770-974-8852

www.motorcyclecarbs.com











From: Douglas Knudsen
[mailto:[EMAIL PROTECTED] 
Sent: Monday, August 07, 2006 8:42
PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss]
Change Management Options Debate.





thank you Jeremy!
As Charlie pointed out, it would be a good blog post to get consumed.

Robert, we kind of hijakced your thread, but this is some good fudge for your
version control sundae you will be eating!

I made a couple in line comments below.

I'll add one thing I really hate about CVS, you can't export a module from teh
repository to a existing directory where you exported the module
previously. CVS will not overwrite files. This forced us to
checkout working copies on our prod server. No biggie, we are a intranet
only team, but a pain. 

DK





On 8/7/06, Jeremy
Allen [EMAIL PROTECTED]
wrote:



THe points for SVN go like this:

Versioning is much more sane and manageable. When I first started using SVN it
was much more bearable to me. Your entire codebase can be encapsulated in one
SVN version number instead of each file having its own version. When I say
version 543 of the codebase with SVN there is no ambiguity about the state of
the system when I say that. CVS has no easy concept of referring to the
contents of the repository as a whole with a version number. That to me is what
makes SVN so much better. 






We use tags in CVS for this. Works fine, but certainly doesn't tie in
with the version of a file. This is a interesting concept. This
means a file that was created as teh first file in your tree and never edited
for 5 years still has the version listed at the max of all file versions, eh? 









SVN is easier to manage. This is a personal opinion but my experiences
bear this one out. The command line for SVN is much more intuitive. 

SVN allows for you to delete and rearrange branches. This is HUGE. Deleting
folders in CVS is plain not possible. CVSs delete functionality is just lacking
in every way. 








yes, this is a major PITA for sure in CVS. Most clients hide this issue
by 'pruning' empty dirs. 









Directories have revision numbers too. Everything in the system behaves
consistently and there are no surprises or differences to deal with with
different types of entities in the system as there is with CVS. 

SVN has no special functionality for branching, merging, or tagging. It is all
implemented using the same functionality so how you arrange your repository is
up to you. The cost of these operations in SVN is constant O(1) which is great
compared to CVS and its slowness with many of these operations, especially on
larger codebases. 








branching and merging is a major PITA, luckily we rarely do it. The team
of 10 here usually works on seperate projects.









That is all I can remember off the top of my head. I know there are a
couple of other good points somewhere in there that favor SVN. Sure a lot of
these are small things but add them up and it makes SVN much better to work
with. So if you are starting from scratch why bother with CVS? Unless you have
very specific interoperability requirements or you are already really
experienced with CVS from a management perspective I recommend using SVN. Its
not just about solving issues with CVS. The system is also a bit
more cohesive overall. And I promise you that with a team of 10 developers that
consistently write code every week you WILL have to deal with these issues
in CVS. They are common and frequently annoying problems not just edge case
things that come up once in a while. 

That said if you already have a lot of experience with CVS or have some
specific requirements SVN may not work out. If this is starting from scratch
and you have not managed CVS or SVN before SVN wins quite easily in my mind.
Why use an inferior system if you have no requirements holding you to it? 

Jeremy









On 8/6/06, Charlie
Arehart  [EMAIL PROTECTED] wrote:

And a good book of
exploration (which also discusses the differences and
benefits over CVS) is Pragmatic Version Control with Subversion,
which I
have obtained from the publisher and am one chapter from finishing and then 
will write up a review. Someone else had asked me at the meeting about
borrowing it, but after him, you could take it, Doug. Sounds like you're in
no hurry, right? :-)

/charlie
http://www.carehart.org/blog/

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Cameron
Childress 
Sent: Sunday, August 06, 2006 4:00 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Change Management Options Debate.

On 8/6/06, Douglas Knudsen 
[EMAIL PROTECTED] wrote:
 righto.So, in a team of 10 developers that don't seem to run
into
 these 'issues' in CVS that SVN