RE: re[2]: [ACFUG Discuss] Regex help
Awesome suggestions, thanks for all the info. Will be visiting Barnes
and Nobles this weekend to see what they in stock. :-)
Thanks
JLW
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Thursday, August 10, 2006 11:29
To: discussion@acfug.org
Subject: RE: re[2]: [ACFUG Discuss] Regex help
Yes, Ben Forta did "Teach Yourself Regular Expressions In 10 Minutes"
and I
can recommend it. There are also many resources available online. Just
google "regular expressions" and the first few that come up look quite
good.
There are also many tools that can help you build regular expressions
easily. I'll make note to create a resource listing many of them
(someday),
if someone doesn't already know of one.
/charlie
http://www.carehart.org/blog/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Thursday, August 10, 2006 11:09 AM
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG Discuss] Regex help
Jason,
First start with one of the RegEx in 10 minutes a day type books. I
think
there is one from Sams Publishing. If you want to be a serious geek,
Regular Expressions by Jeffrey Friedl from O'Reilly rocks.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what
they do not want to hear."
-- George Orwell, 1945
On Aug 10, 2006, at 10:58 AM, West, Jason wrote:
> OT: Can you all suggest a good book that would give a better
> understanding on regular expression programming?
>
>
>
> Thanks
>
>
>
> JLW
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy
> Payne
> Sent: Monday, August 07, 2006 15:52
> To: discussion@acfug.org
> Subject: Re: re[2]: [ACFUG Discuss] Regex help
>
>
>
> I think what Dean is suggesting here is that it is wiser to validate
> both from the server and the client. The server validation being more
> reliable than the client. This is a well adopted paradigm and Dean
> helps us remember this.
>
> Also, MITM = Man In The Middle, which is a type of attack that can be
> used to attack a web site as a way to change data that would alter the
> normal behavior of the application.
>
> Dean is very security conscious through profession and paranoia, which
> is not a bad thing. In the normal development process, it is always
> recommended to consider ways that your application can be altered.
>
> For this given situation, one recommendation for removing the ability
> to perform a SQL injection attack is to use the or
> tag when inserting data. These tags will throw
> exceptions if the datatypes do not match.
>
> If this topic is of interest to other people, we should have Dean
> present application security again. I attended oen of his
> presentation before at ACFUG and it was a good primer for many types
> of attacks.
>
> Cheers
>
>
> On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
>
> Say you want to find your string and its 10 to 12 characters in the
> hexadecimal character set. You can validate your data with:
>
> [A-F0-9]{10,12}
>
> This will match any hexadecimal number with a minimum of 10 chars and
> a maximum of 12. Its a positive way of doing data validation on your
> string.
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
>
> > Thanks! The piece that I was missing was the not (^) :)
> >
> >
> > Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
> > filters out all the unwanted characters. What does "{min},{max}" do?
> > Mischa.
> >
> >
> >
> >
> >> actually he would need this:
> >
> > rereplace(string, "[^a-fA-F0-9]", "", all);
> >
> >
> > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
> > rereplace(string, "[^A-F0-9]", "", all);
> >
> > But if you're trying to do data validation, why wouldn't you throw
> > out any data that doesn't match the regex [A-F0-9]{min,max}?
> >
> > -dhs
> >
> >
> > Dean H. Saxe, CISSP, CEH
> > [EMAIL PROTECTED]
> > "If liberty means anything at all, it means the right to tell people
> > what they do not want to hear."
> > -- George Orwell, 1945
> >
> >
> > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10
Re: re[2]: [ACFUG Discuss] Regex help
The RegEx Coach http://weitz.de/regex-coach/
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Aug 10, 2006, at 11:29 AM, Charlie Arehart wrote:
Yes, Ben Forta did "Teach Yourself Regular Expressions In 10
Minutes" and I
can recommend it. There are also many resources available online. Just
google "regular expressions" and the first few that come up look
quite good.
There are also many tools that can help you build regular expressions
easily. I'll make note to create a resource listing many of them
(someday),
if someone doesn't already know of one.
/charlie
http://www.carehart.org/blog/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Thursday, August 10, 2006 11:09 AM
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG Discuss] Regex help
Jason,
First start with one of the RegEx in 10 minutes a day type books.
I think
there is one from Sams Publishing. If you want to be a serious geek,
Regular Expressions by Jeffrey Friedl from O'Reilly rocks.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell
people what
they do not want to hear."
-- George Orwell, 1945
On Aug 10, 2006, at 10:58 AM, West, Jason wrote:
OT: Can you all suggest a good book that would give a better
understanding on regular expression programming?
Thanks
JLW
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006 15:52
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to validate
both from the server and the client. The server validation being
more
reliable than the client. This is a well adopted paradigm and Dean
helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be
used to attack a web site as a way to change data that would alter
the
normal behavior of the application.
Dean is very security conscious through profession and paranoia,
which
is not a bad thing. In the normal development process, it is always
recommended to consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability
to perform a SQL injection attack is to use the or
tag when inserting data. These tags will throw
exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean
present application security again. I attended oen of his
presentation before at ACFUG and it was a good primer for many types
of attacks.
Cheers
On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Say you want to find your string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
Thanks! The piece that I was missing was the not (^) :)
Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
filters out all the unwanted characters. What does "{min},{max}" do?
Mischa.
actually he would need this:
rereplace(string, "[^a-fA-F0-9]", "", all);
On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
rereplace(string, "[^A-F0-9]", "", all);
But if you're trying to do data validation, why wouldn't you throw
out any data that doesn't match the regex [A-F0-9]{min,max}?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
I can figure out how to remove a number of disallowed characters
from a string, but what if I want to include only a-f and 0-9 and
discard everything else?
so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
if a user supplies E97152C6CF1DD198DE9;hackcode;
it is supposed to return: E97152C6CF1DD198DE9accde
Is that possible with a single regex? Or will I have to cycle
through the string, and replace every character that doesn't match
[a-f]|[0-9] with nothing?
Thanks!
Mischa,
-
To unsubscribe from this list, manage your pr
RE: re[2]: [ACFUG Discuss] Regex help
Yes, Ben Forta did "Teach Yourself Regular Expressions In 10 Minutes" and I
can recommend it. There are also many resources available online. Just
google "regular expressions" and the first few that come up look quite good.
There are also many tools that can help you build regular expressions
easily. I'll make note to create a resource listing many of them (someday),
if someone doesn't already know of one.
/charlie
http://www.carehart.org/blog/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Thursday, August 10, 2006 11:09 AM
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG Discuss] Regex help
Jason,
First start with one of the RegEx in 10 minutes a day type books. I think
there is one from Sams Publishing. If you want to be a serious geek,
Regular Expressions by Jeffrey Friedl from O'Reilly rocks.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people what
they do not want to hear."
-- George Orwell, 1945
On Aug 10, 2006, at 10:58 AM, West, Jason wrote:
> OT: Can you all suggest a good book that would give a better
> understanding on regular expression programming?
>
>
>
> Thanks
>
>
>
> JLW
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy
> Payne
> Sent: Monday, August 07, 2006 15:52
> To: discussion@acfug.org
> Subject: Re: re[2]: [ACFUG Discuss] Regex help
>
>
>
> I think what Dean is suggesting here is that it is wiser to validate
> both from the server and the client. The server validation being more
> reliable than the client. This is a well adopted paradigm and Dean
> helps us remember this.
>
> Also, MITM = Man In The Middle, which is a type of attack that can be
> used to attack a web site as a way to change data that would alter the
> normal behavior of the application.
>
> Dean is very security conscious through profession and paranoia, which
> is not a bad thing. In the normal development process, it is always
> recommended to consider ways that your application can be altered.
>
> For this given situation, one recommendation for removing the ability
> to perform a SQL injection attack is to use the or
> tag when inserting data. These tags will throw
> exceptions if the datatypes do not match.
>
> If this topic is of interest to other people, we should have Dean
> present application security again. I attended oen of his
> presentation before at ACFUG and it was a good primer for many types
> of attacks.
>
> Cheers
>
>
> On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
>
> Say you want to find your string and its 10 to 12 characters in the
> hexadecimal character set. You can validate your data with:
>
> [A-F0-9]{10,12}
>
> This will match any hexadecimal number with a minimum of 10 chars and
> a maximum of 12. Its a positive way of doing data validation on your
> string.
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
>
> > Thanks! The piece that I was missing was the not (^) :)
> >
> >
> > Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
> > filters out all the unwanted characters. What does "{min},{max}" do?
> > Mischa.
> >
> >
> >
> >
> >> actually he would need this:
> >
> > rereplace(string, "[^a-fA-F0-9]", "", all);
> >
> >
> > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
> > rereplace(string, "[^A-F0-9]", "", all);
> >
> > But if you're trying to do data validation, why wouldn't you throw
> > out any data that doesn't match the regex [A-F0-9]{min,max}?
> >
> > -dhs
> >
> >
> > Dean H. Saxe, CISSP, CEH
> > [EMAIL PROTECTED]
> > "If liberty means anything at all, it means the right to tell people
> > what they do not want to hear."
> > -- George Orwell, 1945
> >
> >
> > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
> >
> >> I can figure out how to remove a number of disallowed characters
> >> from a string, but what if I want to include only a-f and 0-9 and
> >> discard everything else?
> >>
> >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
> >> if a user supplies E97152C6CF
Re: re[2]: [ACFUG Discuss] Regex help
http://www.amazon.com/gp/product/0672325667/002-0166281-3017656?v=glance&n=283155
On 8/10/06, Steven Ross <[EMAIL PROTECTED]> wrote:
I liked the sams teach yourself regex book written by ben forta. Basic primer and good examples.On 8/10/06,
West, Jason <
[EMAIL PROTECTED]> wrote:
OT: Can you all suggest a good book that
would give a better understanding on regular _expression_ programming?
Thanks
JLW
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006
15:52
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG
Discuss] Regex help
I think what Dean is
suggesting here is that it is wiser to validate both from the server and the
client. The server validation being more reliable than the client.
This is a well adopted paradigm and Dean helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be used to
attack a web site as a way to change data that would alter the normal behavior
of the application.
Dean is very security conscious through profession and paranoia, which is not a
bad thing. In the normal development process, it is always recommended to
consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability to
perform a SQL injection attack is to use the or
tag when inserting data. These tags will throw
exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean present
application security again. I attended oen of his presentation before at
ACFUG and it was a good primer for many types of attacks.
Cheers
On 8/7/06, Dean H.
Saxe <[EMAIL PROTECTED]>
wrote:
Say you want to find your
string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
> Thanks! The piece that I was missing was the not
(^) :)
>
>
> Dean, this _expression_ rereplace(mystring, "[^A-F0-9]",
"", "all")
> filters out all the unwanted characters. What does "{min},{max}"
do?
> Mischa.
>
>
>
>
>> actually he would need this:
>
> rereplace(string, "[^a-fA-F0-9]", "", all);
>
>
> On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]>
wrote:
> rereplace(string, "[^A-F0-9]", "", all);
>
> But if you're trying to do data validation, why wouldn't you throw
> out any data that doesn't match the regex [A-F0-9]{min,max}?
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
>
>> I can figure out how to remove a number of disallowed characters
>> from a string, but what if I want to include only a-f and 0-9 and
>> discard everything else?
>>
>> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
>> if a user supplies E97152C6CF1DD198DE9;hackcode;
>>
>> it is supposed to return: E97152C6CF1DD198DE9accde
>>
>> Is that possible with a single regex? Or will I have to cycle
>> through the string, and replace every character that doesn't match
>> [a-f]|[0-9] with nothing?
>>
>> Thanks!
>> Mischa,
>>
>>
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by http://www.fusionlink.com
>> -
>>
>>
>>
>>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>
>
>
>
> --
> Steven Ross
> web application & interface
Re: re[2]: [ACFUG Discuss] Regex help
I liked the sams teach yourself regex book written by ben forta. Basic primer and good examples.On 8/10/06, West, Jason <
[EMAIL PROTECTED]> wrote:
OT: Can you all suggest a good book that
would give a better understanding on regular _expression_ programming?
Thanks
JLW
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006
15:52
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG
Discuss] Regex help
I think what Dean is
suggesting here is that it is wiser to validate both from the server and the
client. The server validation being more reliable than the client.
This is a well adopted paradigm and Dean helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be used to
attack a web site as a way to change data that would alter the normal behavior
of the application.
Dean is very security conscious through profession and paranoia, which is not a
bad thing. In the normal development process, it is always recommended to
consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability to
perform a SQL injection attack is to use the or
tag when inserting data. These tags will throw
exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean present
application security again. I attended oen of his presentation before at
ACFUG and it was a good primer for many types of attacks.
Cheers
On 8/7/06, Dean H.
Saxe <[EMAIL PROTECTED]>
wrote:
Say you want to find your
string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
> Thanks! The piece that I was missing was the not
(^) :)
>
>
> Dean, this _expression_ rereplace(mystring, "[^A-F0-9]",
"", "all")
> filters out all the unwanted characters. What does "{min},{max}"
do?
> Mischa.
>
>
>
>
>> actually he would need this:
>
> rereplace(string, "[^a-fA-F0-9]", "", all);
>
>
> On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]>
wrote:
> rereplace(string, "[^A-F0-9]", "", all);
>
> But if you're trying to do data validation, why wouldn't you throw
> out any data that doesn't match the regex [A-F0-9]{min,max}?
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
>
>> I can figure out how to remove a number of disallowed characters
>> from a string, but what if I want to include only a-f and 0-9 and
>> discard everything else?
>>
>> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
>> if a user supplies E97152C6CF1DD198DE9;hackcode;
>>
>> it is supposed to return: E97152C6CF1DD198DE9accde
>>
>> Is that possible with a single regex? Or will I have to cycle
>> through the string, and replace every character that doesn't match
>> [a-f]|[0-9] with nothing?
>>
>> Thanks!
>> Mischa,
>>
>>
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by http://www.fusionlink.com
>> -
>>
>>
>>
>>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>
>
>
>
> --
> Steven Ross
> web application & interface developer
> http://www.zerium.com
> [phone] 404-488-4364
> ---
Re: re[2]: [ACFUG Discuss] Regex help
Jason,
First start with one of the RegEx in 10 minutes a day type books. I
think there is one from Sams Publishing. If you want to be a serious
geek, Regular Expressions by Jeffrey Friedl from O'Reilly rocks.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 10, 2006, at 10:58 AM, West, Jason wrote:
OT: Can you all suggest a good book that would give a better
understanding on regular expression programming?
Thanks
JLW
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006 15:52
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to
validate both from the server and the client. The server
validation being more reliable than the client. This is a well
adopted paradigm and Dean helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can
be used to attack a web site as a way to change data that would
alter the normal behavior of the application.
Dean is very security conscious through profession and paranoia,
which is not a bad thing. In the normal development process, it is
always recommended to consider ways that your application can be
altered.
For this given situation, one recommendation for removing the
ability to perform a SQL injection attack is to use the
or tag when inserting data. These
tags will throw exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean
present application security again. I attended oen of his
presentation before at ACFUG and it was a good primer for many
types of attacks.
Cheers
On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Say you want to find your string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
> Thanks! The piece that I was missing was the not (^) :)
>
>
> Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
> filters out all the unwanted characters. What does "{min},{max}" do?
> Mischa.
>
>
>
>
>> actually he would need this:
>
> rereplace(string, "[^a-fA-F0-9]", "", all);
>
>
> On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
> rereplace(string, "[^A-F0-9]", "", all);
>
> But if you're trying to do data validation, why wouldn't you throw
> out any data that doesn't match the regex [A-F0-9]{min,max}?
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
>
>> I can figure out how to remove a number of disallowed characters
>> from a string, but what if I want to include only a-f and 0-9 and
>> discard everything else?
>>
>> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
>> if a user supplies E97152C6CF1DD198DE9;hackcode;
>>
>> it is supposed to return: E97152C6CF1DD198DE9accde
>>
>> Is that possible with a single regex? Or will I have to cycle
>> through the string, and replace every character that doesn't match
>> [a-f]|[0-9] with nothing?
>>
>> Thanks!
>> Mischa,
>>
>>
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by http://www.fusionlink.com
>> -
>>
>>
>>
>>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
RE: re[2]: [ACFUG Discuss] Regex help
OT: Can you all suggest a good book that
would give a better understanding on regular _expression_ programming?
Thanks
JLW
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Teddy
Payne
Sent: Monday, August 07, 2006
15:52
To: discussion@acfug.org
Subject: Re: re[2]: [ACFUG
Discuss] Regex help
I think what Dean is
suggesting here is that it is wiser to validate both from the server and the
client. The server validation being more reliable than the client.
This is a well adopted paradigm and Dean helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be used to
attack a web site as a way to change data that would alter the normal behavior
of the application.
Dean is very security conscious through profession and paranoia, which is not a
bad thing. In the normal development process, it is always recommended to
consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability to
perform a SQL injection attack is to use the or
tag when inserting data. These tags will throw
exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean present
application security again. I attended oen of his presentation before at
ACFUG and it was a good primer for many types of attacks.
Cheers
On 8/7/06, Dean H.
Saxe <[EMAIL PROTECTED]>
wrote:
Say you want to find your
string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
> Thanks! The piece that I was missing was the not
(^) :)
>
>
> Dean, this _expression_ rereplace(mystring, "[^A-F0-9]",
"", "all")
> filters out all the unwanted characters. What does "{min},{max}"
do?
> Mischa.
>
>
>
>
>> actually he would need this:
>
> rereplace(string, "[^a-fA-F0-9]", "", all);
>
>
> On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]>
wrote:
> rereplace(string, "[^A-F0-9]", "", all);
>
> But if you're trying to do data validation, why wouldn't you throw
> out any data that doesn't match the regex [A-F0-9]{min,max}?
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
> -- George Orwell, 1945
>
>
> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
>
>> I can figure out how to remove a number of disallowed characters
>> from a string, but what if I want to include only a-f and 0-9 and
>> discard everything else?
>>
>> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
>> if a user supplies E97152C6CF1DD198DE9;hackcode;
>>
>> it is supposed to return: E97152C6CF1DD198DE9accde
>>
>> Is that possible with a single regex? Or will I have to cycle
>> through the string, and replace every character that doesn't match
>> [a-f]|[0-9] with nothing?
>>
>> Thanks!
>> Mischa,
>>
>>
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by http://www.fusionlink.com
>> -
>>
>>
>>
>>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>
>
>
>
> --
> Steven Ross
> web application & interface developer
> http://www.zerium.com
> [phone] 404-488-4364
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more inf
Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this.
Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application.Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered.
For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match.
If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks.
CheersOn 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Say you want to find your string and its 10 to 12 characters in thehexadecimal character set. You can validate your data with:[A-F0-9]{10,12}This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on yourstring.-dhsDean H. Saxe, CISSP, CEH[EMAIL PROTECTED]"If liberty means anything at all, it means the right to tell people
what they do not want to hear." -- George Orwell, 1945On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:> Thanks! The piece that I was missing was the not (^) :)>
>> Dean, this _expression_ rereplace(mystring, "[^A-F0-9]", "", "all")> filters out all the unwanted characters. What does "{min},{max}" do?> Mischa.>
> actually he would need this:>> rereplace(string, "[^a-fA-F0-9]", "", all);>>> On 8/7/06, Dean H. Saxe <
[EMAIL PROTECTED]> wrote:> rereplace(string, "[^A-F0-9]", "", all);>> But if you're trying to do data validation, why wouldn't you throw> out any data that doesn't match the regex [A-F0-9]{min,max}?
>> -dhs>>> Dean H. Saxe, CISSP, CEH> [EMAIL PROTECTED]> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."> -- George Orwell, 1945>>> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:>>> I can figure out how to remove a number of disallowed characters
>> from a string, but what if I want to include only a-f and 0-9 and>> discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing>> if a user supplies E97152C6CF1DD198DE9;hackcode;
it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle>> through the string, and replace every character that doesn't match
>> [a-f]|[0-9] with nothing? Thanks!>> Mischa, ->> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa>> For more info, see http://www.acfug.org/mailinglists>> Archive @
http://www.mail-archive.com/discussion%40acfug.org/>> List hosted by http://www.fusionlink.com>> -
-> To unsubscribe from this list, manage your profile @>
http://www.acfug.org?fa=login.edituserform>> For more info, see http://www.acfug.org/mailinglists> Archive @
http://www.mail-archive.com/discussion%40acfug.org/> List hosted by http://www.fusionlink.com> ->
>>> --> Steven Ross> web application & interface developer> http://www.zerium.com> [phone] 404-488-4364
> -> To unsubscribe from this list, manage your profile @> http://www.acfug.org?fa=login.edituserform
>> For more info, see http://www.acfug.org/mailinglists> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink> - < Mischa Uppelschoten> The Banker's Exchange, Inc.> 2020 Hills Avenue NW
> Atlanta, GA 30318>> Phone:(404) 605-0100 ext. 10> Fax:(404) 355-7930> Web:www.BankersX.com> Follow this link for Instant Web Chat:
> http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN -
> To unsubscribe from this list, manage your profile @> http://www.acfug.org?fa> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/> List hosted by http://www.fusionlink.com
> --To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserformFor mo
Re: re[2]: [ACFUG Discuss] Regex help
Say you want to find your string and its 10 to 12 characters in the
hexadecimal character set. You can validate your data with:
[A-F0-9]{10,12}
This will match any hexadecimal number with a minimum of 10 chars and
a maximum of 12. Its a positive way of doing data validation on your
string.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:
Thanks! The piece that I was missing was the not (^) :)
Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all")
filters out all the unwanted characters. What does "{min},{max}" do?
Mischa.
actually he would need this:
rereplace(string, "[^a-fA-F0-9]", "", all);
On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:
rereplace(string, "[^A-F0-9]", "", all);
But if you're trying to do data validation, why wouldn't you throw
out any data that doesn't match the regex [A-F0-9]{min,max}?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:
I can figure out how to remove a number of disallowed characters
from a string, but what if I want to include only a-f and 0-9 and
discard everything else?
so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing
if a user supplies E97152C6CF1DD198DE9;hackcode;
it is supposed to return: E97152C6CF1DD198DE9accde
Is that possible with a single regex? Or will I have to cycle
through the string, and replace every character that doesn't match
[a-f]|[0-9] with nothing?
Thanks!
Mischa,
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-
--
Steven Ross
web application & interface developer
http://www.zerium.com
[phone] 404-488-4364
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
- <
Mischa Uppelschoten
The Banker's Exchange, Inc.
2020 Hills Avenue NW
Atlanta, GA 30318
Phone:(404) 605-0100 ext. 10
Fax:(404) 355-7930
Web:www.BankersX.com
Follow this link for Instant Web Chat:
http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-
