RE: re[2]: [ACFUG Discuss] Regex help
Awesome suggestions, thanks for all the info. Will be visiting Barnes and Nobles this weekend to see what they in stock. :-) Thanks JLW -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Thursday, August 10, 2006 11:29 To: discussion@acfug.org Subject: RE: re[2]: [ACFUG Discuss] Regex help Yes, Ben Forta did "Teach Yourself Regular Expressions In 10 Minutes" and I can recommend it. There are also many resources available online. Just google "regular expressions" and the first few that come up look quite good. There are also many tools that can help you build regular expressions easily. I'll make note to create a resource listing many of them (someday), if someone doesn't already know of one. /charlie http://www.carehart.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Thursday, August 10, 2006 11:09 AM To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help Jason, First start with one of the RegEx in 10 minutes a day type books. I think there is one from Sams Publishing. If you want to be a serious geek, Regular Expressions by Jeffrey Friedl from O'Reilly rocks. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 10, 2006, at 10:58 AM, West, Jason wrote: > OT: Can you all suggest a good book that would give a better > understanding on regular expression programming? > > > > Thanks > > > > JLW > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy > Payne > Sent: Monday, August 07, 2006 15:52 > To: discussion@acfug.org > Subject: Re: re[2]: [ACFUG Discuss] Regex help > > > > I think what Dean is suggesting here is that it is wiser to validate > both from the server and the client. The server validation being more > reliable than the client. This is a well adopted paradigm and Dean > helps us remember this. > > Also, MITM = Man In The Middle, which is a type of attack that can be > used to attack a web site as a way to change data that would alter the > normal behavior of the application. > > Dean is very security conscious through profession and paranoia, which > is not a bad thing. In the normal development process, it is always > recommended to consider ways that your application can be altered. > > For this given situation, one recommendation for removing the ability > to perform a SQL injection attack is to use the or > tag when inserting data. These tags will throw > exceptions if the datatypes do not match. > > If this topic is of interest to other people, we should have Dean > present application security again. I attended oen of his > presentation before at ACFUG and it was a good primer for many types > of attacks. > > Cheers > > > On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: > > Say you want to find your string and its 10 to 12 characters in the > hexadecimal character set. You can validate your data with: > > [A-F0-9]{10,12} > > This will match any hexadecimal number with a minimum of 10 chars and > a maximum of 12. Its a positive way of doing data validation on your > string. > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > > > Thanks! The piece that I was missing was the not (^) :) > > > > > > Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all") > > filters out all the unwanted characters. What does "{min},{max}" do? > > Mischa. > > > > > > > > > >> actually he would need this: > > > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > > rereplace(string, "[^A-F0-9]", "", all); > > > > But if you're trying to do data validation, why wouldn't you throw > > out any data that doesn't match the regex [A-F0-9]{min,max}? > > > > -dhs > > > > > > Dean H. Saxe, CISSP, CEH > > [EMAIL PROTECTED] > > "If liberty means anything at all, it means the right to tell people > > what they do not want to hear." > > -- George Orwell, 1945 > > > > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10
Re: re[2]: [ACFUG Discuss] Regex help
The RegEx Coach http://weitz.de/regex-coach/ -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Aug 10, 2006, at 11:29 AM, Charlie Arehart wrote: Yes, Ben Forta did "Teach Yourself Regular Expressions In 10 Minutes" and I can recommend it. There are also many resources available online. Just google "regular expressions" and the first few that come up look quite good. There are also many tools that can help you build regular expressions easily. I'll make note to create a resource listing many of them (someday), if someone doesn't already know of one. /charlie http://www.carehart.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Thursday, August 10, 2006 11:09 AM To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help Jason, First start with one of the RegEx in 10 minutes a day type books. I think there is one from Sams Publishing. If you want to be a serious geek, Regular Expressions by Jeffrey Friedl from O'Reilly rocks. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 10, 2006, at 10:58 AM, West, Jason wrote: OT: Can you all suggest a good book that would give a better understanding on regular expression programming? Thanks JLW From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy Payne Sent: Monday, August 07, 2006 15:52 To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application. Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. Cheers On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: Thanks! The piece that I was missing was the not (^) :) Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all") filters out all the unwanted characters. What does "{min},{max}" do? Mischa. actually he would need this: rereplace(string, "[^a-fA-F0-9]", "", all); On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: rereplace(string, "[^A-F0-9]", "", all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your pr
RE: re[2]: [ACFUG Discuss] Regex help
Yes, Ben Forta did "Teach Yourself Regular Expressions In 10 Minutes" and I can recommend it. There are also many resources available online. Just google "regular expressions" and the first few that come up look quite good. There are also many tools that can help you build regular expressions easily. I'll make note to create a resource listing many of them (someday), if someone doesn't already know of one. /charlie http://www.carehart.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Thursday, August 10, 2006 11:09 AM To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help Jason, First start with one of the RegEx in 10 minutes a day type books. I think there is one from Sams Publishing. If you want to be a serious geek, Regular Expressions by Jeffrey Friedl from O'Reilly rocks. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 10, 2006, at 10:58 AM, West, Jason wrote: > OT: Can you all suggest a good book that would give a better > understanding on regular expression programming? > > > > Thanks > > > > JLW > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy > Payne > Sent: Monday, August 07, 2006 15:52 > To: discussion@acfug.org > Subject: Re: re[2]: [ACFUG Discuss] Regex help > > > > I think what Dean is suggesting here is that it is wiser to validate > both from the server and the client. The server validation being more > reliable than the client. This is a well adopted paradigm and Dean > helps us remember this. > > Also, MITM = Man In The Middle, which is a type of attack that can be > used to attack a web site as a way to change data that would alter the > normal behavior of the application. > > Dean is very security conscious through profession and paranoia, which > is not a bad thing. In the normal development process, it is always > recommended to consider ways that your application can be altered. > > For this given situation, one recommendation for removing the ability > to perform a SQL injection attack is to use the or > tag when inserting data. These tags will throw > exceptions if the datatypes do not match. > > If this topic is of interest to other people, we should have Dean > present application security again. I attended oen of his > presentation before at ACFUG and it was a good primer for many types > of attacks. > > Cheers > > > On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: > > Say you want to find your string and its 10 to 12 characters in the > hexadecimal character set. You can validate your data with: > > [A-F0-9]{10,12} > > This will match any hexadecimal number with a minimum of 10 chars and > a maximum of 12. Its a positive way of doing data validation on your > string. > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > > > Thanks! The piece that I was missing was the not (^) :) > > > > > > Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all") > > filters out all the unwanted characters. What does "{min},{max}" do? > > Mischa. > > > > > > > > > >> actually he would need this: > > > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > > rereplace(string, "[^A-F0-9]", "", all); > > > > But if you're trying to do data validation, why wouldn't you throw > > out any data that doesn't match the regex [A-F0-9]{min,max}? > > > > -dhs > > > > > > Dean H. Saxe, CISSP, CEH > > [EMAIL PROTECTED] > > "If liberty means anything at all, it means the right to tell people > > what they do not want to hear." > > -- George Orwell, 1945 > > > > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: > > > >> I can figure out how to remove a number of disallowed characters > >> from a string, but what if I want to include only a-f and 0-9 and > >> discard everything else? > >> > >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing > >> if a user supplies E97152C6CF
Re: re[2]: [ACFUG Discuss] Regex help
http://www.amazon.com/gp/product/0672325667/002-0166281-3017656?v=glance&n=283155 On 8/10/06, Steven Ross <[EMAIL PROTECTED]> wrote: I liked the sams teach yourself regex book written by ben forta. Basic primer and good examples.On 8/10/06, West, Jason < [EMAIL PROTECTED]> wrote: OT: Can you all suggest a good book that would give a better understanding on regular _expression_ programming? Thanks JLW From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Teddy Payne Sent: Monday, August 07, 2006 15:52 To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application. Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. Cheers On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > Thanks! The piece that I was missing was the not (^) :) > > > Dean, this _expression_ rereplace(mystring, "[^A-F0-9]", "", "all") > filters out all the unwanted characters. What does "{min},{max}" do? > Mischa. > > > > >> actually he would need this: > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > rereplace(string, "[^A-F0-9]", "", all); > > But if you're trying to do data validation, why wouldn't you throw > out any data that doesn't match the regex [A-F0-9]{min,max}? > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: > >> I can figure out how to remove a number of disallowed characters >> from a string, but what if I want to include only a-f and 0-9 and >> discard everything else? >> >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing >> if a user supplies E97152C6CF1DD198DE9;hackcode; >> >> it is supposed to return: E97152C6CF1DD198DE9accde >> >> Is that possible with a single regex? Or will I have to cycle >> through the string, and replace every character that doesn't match >> [a-f]|[0-9] with nothing? >> >> Thanks! >> Mischa, >> >> >> >> - >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> - >> >> >> >> > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > > > > > -- > Steven Ross > web application & interface
Re: re[2]: [ACFUG Discuss] Regex help
I liked the sams teach yourself regex book written by ben forta. Basic primer and good examples.On 8/10/06, West, Jason < [EMAIL PROTECTED]> wrote: OT: Can you all suggest a good book that would give a better understanding on regular _expression_ programming? Thanks JLW From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Teddy Payne Sent: Monday, August 07, 2006 15:52 To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application. Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. Cheers On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > Thanks! The piece that I was missing was the not (^) :) > > > Dean, this _expression_ rereplace(mystring, "[^A-F0-9]", "", "all") > filters out all the unwanted characters. What does "{min},{max}" do? > Mischa. > > > > >> actually he would need this: > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > rereplace(string, "[^A-F0-9]", "", all); > > But if you're trying to do data validation, why wouldn't you throw > out any data that doesn't match the regex [A-F0-9]{min,max}? > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: > >> I can figure out how to remove a number of disallowed characters >> from a string, but what if I want to include only a-f and 0-9 and >> discard everything else? >> >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing >> if a user supplies E97152C6CF1DD198DE9;hackcode; >> >> it is supposed to return: E97152C6CF1DD198DE9accde >> >> Is that possible with a single regex? Or will I have to cycle >> through the string, and replace every character that doesn't match >> [a-f]|[0-9] with nothing? >> >> Thanks! >> Mischa, >> >> >> >> - >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> - >> >> >> >> > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > > > > > -- > Steven Ross > web application & interface developer > http://www.zerium.com > [phone] 404-488-4364 > ---
Re: re[2]: [ACFUG Discuss] Regex help
Jason, First start with one of the RegEx in 10 minutes a day type books. I think there is one from Sams Publishing. If you want to be a serious geek, Regular Expressions by Jeffrey Friedl from O'Reilly rocks. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 10, 2006, at 10:58 AM, West, Jason wrote: OT: Can you all suggest a good book that would give a better understanding on regular expression programming? Thanks JLW From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy Payne Sent: Monday, August 07, 2006 15:52 To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application. Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. Cheers On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > Thanks! The piece that I was missing was the not (^) :) > > > Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all") > filters out all the unwanted characters. What does "{min},{max}" do? > Mischa. > > > > >> actually he would need this: > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > rereplace(string, "[^A-F0-9]", "", all); > > But if you're trying to do data validation, why wouldn't you throw > out any data that doesn't match the regex [A-F0-9]{min,max}? > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: > >> I can figure out how to remove a number of disallowed characters >> from a string, but what if I want to include only a-f and 0-9 and >> discard everything else? >> >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing >> if a user supplies E97152C6CF1DD198DE9;hackcode; >> >> it is supposed to return: E97152C6CF1DD198DE9accde >> >> Is that possible with a single regex? Or will I have to cycle >> through the string, and replace every character that doesn't match >> [a-f]|[0-9] with nothing? >> >> Thanks! >> Mischa, >> >> >> >> - >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> - >> >> >> >> > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > -
RE: re[2]: [ACFUG Discuss] Regex help
OT: Can you all suggest a good book that would give a better understanding on regular _expression_ programming? Thanks JLW From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teddy Payne Sent: Monday, August 07, 2006 15:52 To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Regex help I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application. Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. Cheers On 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: > Thanks! The piece that I was missing was the not (^) :) > > > Dean, this _expression_ rereplace(mystring, "[^A-F0-9]", "", "all") > filters out all the unwanted characters. What does "{min},{max}" do? > Mischa. > > > > >> actually he would need this: > > rereplace(string, "[^a-fA-F0-9]", "", all); > > > On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: > rereplace(string, "[^A-F0-9]", "", all); > > But if you're trying to do data validation, why wouldn't you throw > out any data that doesn't match the regex [A-F0-9]{min,max}? > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "If liberty means anything at all, it means the right to tell people > what they do not want to hear." > -- George Orwell, 1945 > > > On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: > >> I can figure out how to remove a number of disallowed characters >> from a string, but what if I want to include only a-f and 0-9 and >> discard everything else? >> >> so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing >> if a user supplies E97152C6CF1DD198DE9;hackcode; >> >> it is supposed to return: E97152C6CF1DD198DE9accde >> >> Is that possible with a single regex? Or will I have to cycle >> through the string, and replace every character that doesn't match >> [a-f]|[0-9] with nothing? >> >> Thanks! >> Mischa, >> >> >> >> - >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> - >> >> >> >> > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > > > > > -- > Steven Ross > web application & interface developer > http://www.zerium.com > [phone] 404-488-4364 > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more inf
Re: re[2]: [ACFUG Discuss] Regex help
I think what Dean is suggesting here is that it is wiser to validate both from the server and the client. The server validation being more reliable than the client. This is a well adopted paradigm and Dean helps us remember this. Also, MITM = Man In The Middle, which is a type of attack that can be used to attack a web site as a way to change data that would alter the normal behavior of the application.Dean is very security conscious through profession and paranoia, which is not a bad thing. In the normal development process, it is always recommended to consider ways that your application can be altered. For this given situation, one recommendation for removing the ability to perform a SQL injection attack is to use the or tag when inserting data. These tags will throw exceptions if the datatypes do not match. If this topic is of interest to other people, we should have Dean present application security again. I attended oen of his presentation before at ACFUG and it was a good primer for many types of attacks. CheersOn 8/7/06, Dean H. Saxe <[EMAIL PROTECTED]> wrote: Say you want to find your string and its 10 to 12 characters in thehexadecimal character set. You can validate your data with:[A-F0-9]{10,12}This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on yourstring.-dhsDean H. Saxe, CISSP, CEH[EMAIL PROTECTED]"If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote:> Thanks! The piece that I was missing was the not (^) :)> >> Dean, this _expression_ rereplace(mystring, "[^A-F0-9]", "", "all")> filters out all the unwanted characters. What does "{min},{max}" do?> Mischa.> > actually he would need this:>> rereplace(string, "[^a-fA-F0-9]", "", all);>>> On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote:> rereplace(string, "[^A-F0-9]", "", all);>> But if you're trying to do data validation, why wouldn't you throw> out any data that doesn't match the regex [A-F0-9]{min,max}? >> -dhs>>> Dean H. Saxe, CISSP, CEH> [EMAIL PROTECTED]> "If liberty means anything at all, it means the right to tell people > what they do not want to hear."> -- George Orwell, 1945>>> On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote:>>> I can figure out how to remove a number of disallowed characters >> from a string, but what if I want to include only a-f and 0-9 and>> discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing>> if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle>> through the string, and replace every character that doesn't match >> [a-f]|[0-9] with nothing? Thanks!>> Mischa, ->> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa>> For more info, see http://www.acfug.org/mailinglists>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/>> List hosted by http://www.fusionlink.com>> - -> To unsubscribe from this list, manage your profile @> http://www.acfug.org?fa=login.edituserform>> For more info, see http://www.acfug.org/mailinglists> Archive @ http://www.mail-archive.com/discussion%40acfug.org/> List hosted by http://www.fusionlink.com> -> >>> --> Steven Ross> web application & interface developer> http://www.zerium.com> [phone] 404-488-4364 > -> To unsubscribe from this list, manage your profile @> http://www.acfug.org?fa=login.edituserform >> For more info, see http://www.acfug.org/mailinglists> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink> - < Mischa Uppelschoten> The Banker's Exchange, Inc.> 2020 Hills Avenue NW > Atlanta, GA 30318>> Phone:(404) 605-0100 ext. 10> Fax:(404) 355-7930> Web:www.BankersX.com> Follow this link for Instant Web Chat: > http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN - > To unsubscribe from this list, manage your profile @> http://www.acfug.org?fa> For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/> List hosted by http://www.fusionlink.com > --To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserformFor mo
Re: re[2]: [ACFUG Discuss] Regex help
Say you want to find your string and its 10 to 12 characters in the hexadecimal character set. You can validate your data with: [A-F0-9]{10,12} This will match any hexadecimal number with a minimum of 10 chars and a maximum of 12. Its a positive way of doing data validation on your string. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 2:30 PM, Mischa Uppelschoten ext 10 wrote: Thanks! The piece that I was missing was the not (^) :) Dean, this expression rereplace(mystring, "[^A-F0-9]", "", "all") filters out all the unwanted characters. What does "{min},{max}" do? Mischa. actually he would need this: rereplace(string, "[^a-fA-F0-9]", "", all); On 8/7/06, Dean H. Saxe < [EMAIL PROTECTED]> wrote: rereplace(string, "[^A-F0-9]", "", all); But if you're trying to do data validation, why wouldn't you throw out any data that doesn't match the regex [A-F0-9]{min,max}? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Aug 7, 2006, at 12:29 PM, Mischa Uppelschoten ext 10 wrote: I can figure out how to remove a number of disallowed characters from a string, but what if I want to include only a-f and 0-9 and discard everything else? so if a user supplies: E97152C6CF1DD198DE95C7F2C2EF5EA0, do nothing if a user supplies E97152C6CF1DD198DE9;hackcode; it is supposed to return: E97152C6CF1DD198DE9accde Is that possible with a single regex? Or will I have to cycle through the string, and replace every character that doesn't match [a-f]|[0-9] with nothing? Thanks! Mischa, - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -- Steven Ross web application & interface developer http://www.zerium.com [phone] 404-488-4364 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - < Mischa Uppelschoten The Banker's Exchange, Inc. 2020 Hills Avenue NW Atlanta, GA 30318 Phone:(404) 605-0100 ext. 10 Fax:(404) 355-7930 Web:www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -