Not enough )'s when parsing an user's input that contains one parenthesis

Question

When an user inputs a string that only contains one parenthesis, the Regex.IsMatch() breaks. Inputting a single [ also breaks the program.

Regex.IsMatch("John Cena", "Test(", RegexOptions.IgnoreCase)

In this case John Cena is the name from my database. The user then inputs Test( in the search input, but the server will return an 500 error, because Regex.IsMatch() breaks because of the input.

How do I escape all of these, so I can actually test one input to the one I have in my database? I simply want to test if the user's input matches the entry from the database. And yes, the name from the database can contain a parenthesis, so it would be nice if John Cena( would match the user's input, if he types John Cena(.

If you need to search for string such "John Cena", (and deal with user input), maybe a Regex is not the right tool. `int index = input.IndexOf("John Cena", StringComparison.CurrentCultureIgnoreCase)` will work in such scenario — Gian Paolo, Aug 31 '16 at 09:19
Allowing a user created regular expressions in your back-end can be a vector for a denial of service attack: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS — Martin Liversage, Aug 31 '16 at 09:21
@MartinLiversage So IndexOf would be prefered, even though I now escape the input? — MortenMoulder, Aug 31 '16 at 09:22
@Snorlax: If you escape the input then there is no possibility of a denial of service attack but I'm not sure that regex is the right tool then. In your case the regex will be a simple substring search. — Martin Liversage, Aug 31 '16 at 09:23

score 6 · Accepted Answer · answered Aug 31 '16 at 09:17

6

Regex.Escape turns all regex control characters in a string to their escape codes:

Regex.IsMatch("John Cena", Regex.Escape(userinput), RegexOptions.IgnoreCase)

But why use regex at all? Simple string functions will do the same in this case:

"John Cena".IndexOf(userinput, StringComparison.CurrentCultureIgnoreCase) != -1

answered Aug 31 '16 at 09:17

IS4

11,945
2
47
86

Hell yeah, this is what I needed. I didn't know `Regex.Escape()` would just escape them for me. Works perfectly! Thanks. – MortenMoulder Aug 31 '16 at 09:20

score 3 · Answer 2 · answered Aug 31 '16 at 09:13

3

( is a reserved char, escape it with \

answered Aug 31 '16 at 09:13

Mauro Sampietro

2,739
1
24
50

So I would basically have to escape every single character? Doesn't seem like a good workaround. Escape (, ), [, ], etc. – MortenMoulder Aug 31 '16 at 09:13
You can search for special chars and perform a replace. See here http://stackoverflow.com/questions/3115150/how-to-escape-regular-expression-special-characters-using-javascript – Mauro Sampietro Aug 31 '16 at 09:15
You can use Regex.Escape too – Mauro Sampietro Aug 31 '16 at 09:18

Koopakiller · Answer 3 · 2016-08-31T09:23:29.763

If you want to test your name with a Regex you cannot escape these characters. The only way is to catch the ArgumentException and handle it properly:

var result;
try
{
    result = Regex.IsMatch("John Cena", "Test(", RegexOptions.IgnoreCase)
}
catch(ArgumentException)
{
    //invalid regex -> use false or true as a constant value
    result = false;//matches nothing
}

Or if you don't want to compare the name with a regex, you can escape it:

Regex.IsMatch("John Cena", Regex.Escape("Test("), RegexOptions.IgnoreCase)

Regex.Escape adds a \ before all characters which must be escaped.
But in this case the Regex is useless and you can use the faster string method:

"John Cena".IndexOf("Test(", StringComparison.CurrentCultureIgnoreCase) >= 0

Not enough )'s when parsing an user's input that contains one parenthesis

3 Answers3