3

In my web site some hackers are entering bad words. Which is the best way to prevent this?

I am using ASP.NET, C# and SQL Server as resources.

  1. check bad words in form backend ?
  2. check bad words in javascript?
  3. check bad words in stored procedure before insert?

I think first method is best.

Please tell the optimized code for this check

Now I am using this method 

    var filterWords = ["fool", "dumb", "couch potato"];
    // "i" is to ignore case and "g" for global
    var rgx = new RegExp(filterWords.join(""), "gi");

    function wordFilter(str) {          
            return str.replace(rgx, "****");           
    }

    // call the function
    document.write("Original String - ");
    document.writeln("You fool. Why are you so dumb  <br/>");   
    document.write("Replaced String - ");
    document.writeln(wordFilter("You fool. Why are you so dumb"));
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • by bad words you mean cursings? – whastupduck Mar 13 '13 at 04:50
  • 2
    the checking should be done on the front end not on backend. The work of database is to store data. `:)` – John Woo Mar 13 '13 at 04:51
  • – Aniket Inge Mar 13 '13 at 04:54
  • bad words means sexual –  Mar 13 '13 at 04:56
  • 1
    f.r.a.k. d0nk3ys. I won \o/ The only *real* way to prevent "bad words" (i.e. those in certain adult-oriented spam messages) is to regulate users and provider moderation .. and if it's guarding against spam, see http://stackoverflow.com/a/15320112/166390 (or existing anti-spam solutions) –  Mar 13 '13 at 04:56
  • 2
    Well, @JW. there's nothing wrong validating input in backend, it does no harm and is sometimes necessary, since Javascript can be disabled. And Server-side coding is considered backend. –  Mar 13 '13 at 05:03
  • http://www.mirror.co.uk/news/weird-news/tyson-gay-becomes-tyson-homosexual-1229134 – ta.speot.is Mar 13 '13 at 05:10

3 Answers3

2

You should check in the ASP.NET code, on the server side. JavaScript or any other client side check can be easily worked around. The code you posted works fine, except it is not particularly robust (a variety of simple misspellings will get around it).

John Colanduoni
  • 1,596
  • 14
  • 18
1

make sure to check for permutations such as

Secure --> $3(ur3

And I would replace the word with something like

[REMOVED] or [CENSORED]

Having words like s***t still can be viewed as offensive to customers/others.

Edit: Seeing HevyLight's thoughts on javascript usage here... you might try a string filter in your C# layer (assuming that is doing the heavy lifting already and database calls). Pass all strings posts through the filter before writing to database (and for others to see).

SnakeDoc
  • 13,611
  • 17
  • 65
  • 97
0

Reality is that you can’t prevent 100% of bad words. I’d go with a two-step verification on the server side (JS can be disabled and SQL is not really suitable for handling this)

  1. Create a list of most common bad words that are used the most – this will probably catch like 80% of all inputs.

  2. Create a list of patterns for suspects that will signal you to manually verify these.

    This could be patterns such as

    • a) Word contains two or more ** characters
    • b) Word contains letters and one of the following characters 0,3,$, and others

In time you’ll just have to keep both lists updated. Again, this will not solve 100% of cases but it will probably catch and fix like 95% if implemented properly.

Kenneth Hampton
  • 685
  • 6
  • 7