I'm doing some data validation in ASP and I'm trying to stop SQL Injection by doing calling the following function:

 Function ValidateField(value)
  Dim re
  Set re = new RegExp
  re.IgnoreCase = true
  're.Pattern = "^[a-zA-Z0-9 -]+$"
  re.pattern = "[\*\&\;\'\!\@\#\$\%\^\~\`\+\=\(\)\[\]\:\/\|\{\}\,\\]"
  re.global = true
  ValidateField = re.Test(value)
End Function

I only want letters, numbers, spaces and hyphens to pass the validation.  The value being checked is 20 characters long and is a users name.  The above code sorta works but for some reason *, & and a couple of other punctations get through.  As you can see I've tried catching the values I don't want as well as only allowing the one's I do but neither work 100%.  Can anyone point me in the right direction?  Thanks.

<%
Function ValidateField(value)
  Set regEx = New RegExp
  regEx.IgnoreCase = True
  regEx.Pattern = "^[a-z\d -]+$"
  ValidateField = regEx.Test(value)
End Function
Response.Write(ValidateField("this is a long string of Letters-and-Numbers 123 and spaces"))
Response.Write("<hr>")
Response.Write(ValidateField("bad string @#$%^&*"))
%>

---

A couple of things about your pattern:

Firstly, within a character class definition most of the characters lose their special meanings, so your definition can become:

[*&;'!@#$%^~`+=()\[\]:/|{},\\]

 which is a bit easier to rad and later maintain. You have to be careful with the '^' character as the first one after the '[' but otherwise it is just a character. The opposite is true for ']' where it is a literal ']' as the first character in the set (i.e. immediately after the '[' or '[^') and of course the '\' is still the scape character. (You may need further escaping of characters such as '"' if these are confusing the surrounding programming langauge but that us another story!)

Secondly, the commented out pattern will try to match all characters in the test string, whereas your character class definition will only match a single character and will succeed if that character is anywhere in the test string. Therefore, as it stands, your function will return "true" if value is "abc$d" (because there is a "$" in it and the '$' character is in the class set, but return "false" if value is "qwerty" because none of the characters appear anywhere. However it will also return "false" for a value of "abd___???<>" as none of those characters are in the set!

Therefore you should reverse the logical value returned by the function (being aware of the last point above), change the character class definition into a negated set, or use your original pattern. I can't see what is wrong your your original pattern (other than it doesn't check for the name to be 20 characters long and will allow names that are all spaces or dashes!) but it has the advantage of being a positive check of what is wanted rather than a negative check of what is not. Perhaps if you explain what was going wrong (with examples) then that may be the better approach.

Susan

Thanks for your response.  I used your more concise definition, but the issue still remained.  I went back to the code and found that before the value is passed through the regular expression function the value is parsed for offending characters and the offending characters are removed.  That's why it seemed to work for some of the values but not others.  Thank you again for your explaination, a GOLD STAR for you.