2

I'm trying to add some Input Validation in Classic ASP by using the function/code seen below. The only one that looks like it's working correctly is the "text" type. the others I keep getting errors or it just does not filter correctly. I'm trying to understand what I'm doing wrong please help me.

Valid Data Types: "email", "integer", "date", "string" and "text". The first three are obvious, the last two have slight differences.

The "email" should only allow numbers and leters, and the following characters "@" , "-" , "." , "_"

The "date" should validate by running IsDate and if True then allow if False DON'T.

The "string" should validate text-based querystrings, allowing only letters, numbers, _, - and .

Whereas "text" is any free-form text form field type content.

The "integer" should only allow numbers and a period (.)

Usage Example: <input type="text" value="<%=MakeSafe("test@test.com</HTML>1234.5",integer,50)%>">

Eg: MakeSafe(dataInput,dataType,dataLength)

<%
'// CODE BY: dB Masters
'// FOUND AT: http://successontheweb.blogspot.com/2008/03/input-validation-for-security-in.html

Function MakeSafeConvert(encodeData)
encodeData = replace(encodeData,"&", "&#38;")
encodeData = replace(encodeData,"'", "&#39;")
encodeData = replace(encodeData,"""", "&quot;")
encodeData = replace(encodeData,">", "&gt;")
encodeData = replace(encodeData,"<", "&lt;")
encodeData = replace(encodeData,")", "&#41;")
encodeData = replace(encodeData,"(", "&#40;")
encodeData = replace(encodeData,"]", "&#93;")
encodeData = replace(encodeData,"[", "&#91;")
encodeData = replace(encodeData,"}", "&#125;")
encodeData = replace(encodeData,"{", "&#123;")
encodeData = replace(encodeData,"--", "&#45;&#45;")
encodeData = replace(encodeData,"=", "&#61;")
MakeSafeConvert = encodeData
End Function

Function MakeSafe(dataInput,dataType,dataLength)

Dim regex, validInput, expressionmatch
regex = ""
validInput = "1"

If dataType = "string" And Len(dataInput) > 0 Then
    regex = "^[\w-\.]{1,"& dataLength &"}$"
ElseIf dataType = "email" And Len(dataInput) > 0 Then
    regex = "^[\w-\.]+@([\w-]+\.)+[\w-]{2,6}$"
ElseIf dataType = "integer" And Len(dataInput) > 0 Then
    regex = "^\d{1,"& dataLength &"}$"
ElseIf dataType = "date" And Len(dataInput) > 0 Then
If Not IsDate(dataInput) Then validInput = "0" End If
ElseIf dataType = "text" And Len(dataInput) > 0 Then
If Len(dataInput) > dataLength Then validInput = "0" End If
End If

If Len(regex) > 0 And Len(dataInput) > 0 Then
    Set RegExpObj = New RegExp
    RegExpObj.Pattern = regex
    RegExpObj.IgnoreCase = True
    RegExpObj.Global = True
    RegExpChk = RegExpObj.Test(dataInput)

If Not RegExpChk Then
    validInput = "0"
    End If
    Set RegExpObj = nothing
End If

If validInput = "1" And Len(dataInput) > 0 Then
    MakeSafe = MakeSafeConvert(dataInput)
    ElseIf Len(dataInput) = 0 Then
    MakeSafe = ""
Else
    Response.Write "<h2>Processing Halted.</h2>"
    Response.End
End If

End Function
%>

EXAMPLE CODE AND ERROR(S):

When I test this using the code:

<%=MakeSafe("test@test.com1234.5",email,50)%> * Does NOT Validate Anything.*


I don't get an error message but it DOES NOT Validate anything.

**The OUTPUT IS : test@test.com1/27/20121234.5

SHOULD BE ONLY: test@test.com**

When I test this using the code:

<%=MakeSafe("test@test.com1/27/20121234.5",date,50)%>

I don't get an error message but it DOES NOT Validate anything.

The OUTPUT IS : test@test.com1/27/20121234.5 SHOULD BE ONLY: 1/27/2012

The other two give me this error message:

<%=MakeSafe("test@test.com1234.5",string,50)%>
* ERROR!!! Wrong number of arguments or invalid property assignment: 'string'

<%=MakeSafe("test@test.com1234.5",integer,50)%>

* ERROR!!! Syntax error

Thank you so much for any help that you provide...

compcobalt
  • 1,322
  • 7
  • 31
  • 61
  • There needs to be high-power regex available to do that kind of parsing. I read your tags, then stopped reading your problem past the second sentence. –  Aug 13 '12 at 03:10
  • 1
    You're going to have to be more specific when you say "I keep getting errors or it just does not filter correctly". What exactly doesn't work? Can you give examples of inputs that don't give the expected output (as well as what the expected output is)? – Cheran Shunmugavel Aug 13 '12 at 05:05
  • You are not going to make your users happy if you put in a too strict regex for email validation, read [this excellent answer](http://stackoverflow.com/a/201378/598599). Greetz, [me+stackoverflow@\[IPv6:2001:db8:1ff::a0b:dbd0\]](http://en.wikipedia.org/wiki/Email_address) – AutomatedChaos Aug 13 '12 at 16:01
  • @CheranShunmugavel The example is above see: "Usage Example" but I will add alot more examples I think I'm doing something wrong. – compcobalt Aug 13 '12 at 17:48
  • @Steven yea, I know the more I read about it the more I want to kill myself. It's an old web program that has like over 1,000+ pages and none have any protection from sql injections, xss, or anything else. – compcobalt Aug 13 '12 at 19:21

1 Answers1

4

If it's not a typo then your fault was in the second parameter of the function call.

You call the function like:

<%=MakeSafe("test@test.com1234.5",email,50)%>

which is wrong because you should "..." the second parameter too. This should work:

<%=MakeSafe("test@test.com1234.5","email",50)%>
htbasaran
  • 869
  • 7
  • 10
  • 2
    OMG! I'm a idiot! Thanks so much I never thought that was the problem, so basic but I would never figured it out, I was 100% sure that something else was wrong/off. – compcobalt Aug 16 '12 at 13:58