0


I am rather new to JavaScript and trying to teach myself javascript form validation.

Would it be possible to get a quick run through of different variables and how to prevent SQL injection?

I am currently using the variable to test if my passwords match some level of security. Would it be possible to see an example variable that requires a user to enter at least one number and at least one Upper case letter mixed in with their other lowercase letters.

var passw= /^[a-zA-Z]*.{8,15}$/;

Much obliged and thanks very much

Daniel
  • 73
  • 2
  • 8
  • 2
    *"how to prevent SQL injection"* You have to do that on the server side, not client side. Or are you running SQL queries on the client? – Felix Kling Aug 03 '13 at 14:15
  • By using a single REGEX, you are limiting the ability to pass on to the user what rules they have violated. SIMILAR: http://stackoverflow.com/questions/7844359/password-regex-with-min-6-chars-at-least-one-letter-and-one-number-and-may-cont – DevlshOne Aug 03 '13 at 14:16
  • possible duplicate of [Regular Expression for password validation](http://stackoverflow.com/questions/2370015/regular-expression-for-password-validation) – Felix Kling Aug 03 '13 at 14:17
  • You mentioned SQL injection, but you're not storing the user's password as-is are you? – nnnnnn Aug 03 '13 at 14:27
  • @nnnnnn heck no. When posting to the database the password undergoes an md5 hash with four levels of salt. I was told this was a decent level of security. Should I be doing more? – Daniel Aug 03 '13 at 14:36
  • My concern was that you may have been asking about SQL injection specifically in the password field, which would've implied you were passing the entered value directly through rather than hashing it. – nnnnnn Aug 03 '13 at 14:42
  • P.S. Your sample regex restricts the password to 16 characters - I'd suggest allowing users to enter something somewhat longer if they wish. – nnnnnn Aug 03 '13 at 14:50
  • Nope nope! I definitely have the form posting straight into a hashed query. How many levels of salting and hashing would you recommend? Is md5 still an acceptable standard or should I look to use sha1/sha5(?). – Daniel Aug 03 '13 at 15:29
  • And as for password length; I've set max as 20 char long :) – Daniel Aug 03 '13 at 15:30

1 Answers1

1

If you're trying to prevent SQL injection, then you need to do it server-side. Doing it client-side is pointless, because it is fairly trivial for some evil-doer to intercept the requests and change the values, bypassing your client-side validation.

With that said, if you're using node.js or some other javascript based server-side engine, then you can do your validation there. There is a very thorough answer on how to do this server-side in node.js here.

Community
  • 1
  • 1
TylerLubeck
  • 608
  • 4
  • 6
  • I think I love you. I've been coding everything base up myself and am very tempted to use Ajax form validation or php posting validation. What benefits are there of either? Is Ajax form validation more prevalent to injection due to the active form submission? – Daniel Aug 03 '13 at 14:31
  • They're very similar. In fact, you can use Ajax to post to a php page on your server. Either type of form submission is just as prone to injection because it will be firing off a request to a url. They both do it mostly in the background. If you use a packet sniffer (I like [Burpsuite](http://portswigger.net/burp/)) you can see these requests as they send. Because the difference is minimal so far as injection, I personally find using the built in form submission to be much easier. Remember to redirect to another page if you're using a POST request to prevent double submissions. – TylerLubeck Aug 04 '13 at 01:00