I’m trying to use Regular Expressions to do server-side form validation, and I’m hitting a bit of a snag.
I’ve got successful validations for (US) Zip Code, State, and City (as far as I can tell, anyway.) But I’m not quite so successful when it comes to validating Company Name.
If anyone knows RegEx pretty well, I’m trying to write a mask that will allow a-z, 0-9, spaces, and just a few special characters: !@#$%&()-_{}?., but nothing else.
Right now, I’ve got:
^[A-Za-z0-9 !@#\$%&\(\)-_{}[]\?\.,]*$
… but it’s still triggering false positives. Suggestions, please?
I’ve given that some thought, but the truth is that this is for a DoD site (inviting companies to submit information if the company thinks it can offer something for a DoD capability), so the odds of a company actually having any of the special character spectrum in the company name is slim. I’m making an exception for a small sliver of the special characters, just in case.
Not to mention, disallowing < and > makes injection a little more difficult.
If you can’t show actual names, sorry, but I really need to see a representative sample of what the names look like. eg.
they _always start with an uppercase letter
they always have at least one space
if they have at least one digit they always have more than one digit
they never have a __ character
etc.
without out seeing what your working with it’s impossible to identify similarities and differences and any regex pattern I might come up with would be a best a wild guess.
The trick with regex is to not only get what you want to get, but also to not get what you want to not get.
I’m using JavaScript to trim all leading and ending spaces, replace more than one space with a single space, and then force everything into upper-case, except email addresses which I’m forcing to lower-case.
Allowed characters are a through z, numbers 0 through 9, and special characters ! @ # $ % & ( ) - _ { } ? . , : and space.
Valid:
Acme Anvils, LLC.
Acme (Explosives) Cartage [LTD]
Micro$oft
Grandpa's @ The Depot
The Bloomington-O'Hare Gazette
123 Easy Mortgage {123 Loans}
#9 Left Hand
I always use parameterized queries, as well as another step for prevention of SQL-injections and XSS attacks. My client is overly paranoid - I must be overly -paranoid, too.
I think you’re just doing useless work. If you escape all user data in SQL queries and HTML output then its enough. Otherwise your “safe list” of characters (!@#$%&()-_{}?.,) is big enough to allow bad things.
If you think it’s a waste of time, you’re more than welcome to voice that opinion.
Please don’t try to dissuade other people from offering suggestions by announcing to the forum that this is “useless work”.
I’ve asked an honest question. You’ve twice implied that I’m wasting my time. Thank you. Duly noted. Please feel free to not comment on this thread, anymore.
Please let me decide myself where to comment.
This thread can be read by other people who may start to think it is necessary to validate such things like company names. So my posts will answer their question. But you can do everything you want of course. And i have no goal to dissuade other people from helping you.
Okay, @WolfShade, you have a couple of small issues.
One you need to add ’ to your allow list, I also had to escape the [ and ] for my test to work, plus you have to escape the - otherwise it considers it a range between ) and _ that are allowed.
Here is my final result (you will not want to use g or m as modifiers, as you likely won’t be dealing with multiple lines of data).
Thanks, @cpradio. I’m not sure which flavour of RegEx ColdFusion uses, but it’s not allowing the apostrophe (so far.) I’ve tried it as is, escaped with a \ and escaped with another apostrophe (not the “left” apostrophe that is near 1.) Something like “Don’t Stop” will trigger an error.
And ColdFusion isn’t so bad, really. I started learning it in 2000. Some things don’t make sense (like 1-based index instead of 0-based index for things like arrays, etc.), but for the most part, it’s pretty straight-forward. And if a developer is the kind who doesn’t like looking at server-side code that mimics HTML tags, you can do 99% of CF within CFSCRIPT tags - it’s just like JavaScript or perl, except the conditionals aren’t == or === or >=, etc… it’s “eq”, “gte”, etc.
And that is an excellent example of REreplace(); but I’m using REMatch() for checking the string against a mask. REMatch() returns an array of strings that match the regex.
