Stopping the jQuery blur event within the blur function

Question

I have a textbox that I am using the blur event to validate the text with a regular expression. If it fails I want the textbox to keep the focus. I know in regular javascript you can say return functionName(); in the onblur event within the actual html control. Is there a way to do something similar when binding the blur event within the $(document).ready() function. Or simply set the focus on "this". Thank you for the help.

$(document).ready(function() {");
    $('input:text.sqlValidation').blur(function() {");
        var sqlInjectionRegX2 = /...Regex.../;
        var value = this.value;
        if (sqlInjectionRegX2.test(value)) {
            alert('The text you have entered may contain malicious code and can not be submitted.');
            this.value = '';
            return false;
        }
        else return true;
    });
});

score 6 · Answer 1 · answered Oct 13 '09 at 13:40

6

Using regular expressions in Javascript to prevent SQL injection is the mother of all (or at least most) evil. DO NOT DO THIS!!! Instead, use parameters in your server side code. If you don't know how, ask us. If you try to prevent SQL Injection the way you're doing it it will not work and you are liable to lose data, or worse. All your enemy needs to do is disable Javascript (or craft his own HTTP request) and your filter will be useless. In addition, I don't think it's possible to fully block SQL injection with a single regex.

To answer the question, try writing return false or event.preventDefault() in the handler. However, it won't work perfectly; it is not possible to fully control focus like this in Javascript.

answered Oct 13 '09 at 13:40

SLaks

868,454
176
1,908
1,964

1

I agree, but you could do both client- and server-side prevention -- though I'm not sure why you'd want to improve the user experience for someone trying to do a SQL injection. – tvanfosson Oct 13 '09 at 13:47
I am actually using the regular expression to check for sql injection. But the expression I have created checks for the actual sql statement, i.e. "a'; Select * From Users;" or "a'; Drop Table Users;" So far my testing has shown that it works correctly. But for a developer to find fault in his own code is like a parent saying they have an ugly baby. :) So I'll include my expression if anyone would like to try it and let me know if they find. Thanks for your help. – Oct 13 '09 at 13:49
@tvanfosson: Doing this on the server is equally evil. No regex can perfectly block SQL injection, and there are legitimate reasons to do SQL injection (eg, someone named `Harry O'Neill`) – SLaks Oct 13 '09 at 13:51
And I am actually doing both client and server side validation. And unfortunately the expression is to long to post here. So I'll add a new "question" asking if anyone would like to test the expression and let me know of the results. – Oct 13 '09 at 13:51
@Josh H: Any possible regex cannot completely block SQL injection. – SLaks Oct 13 '09 at 13:52
This is for an internal app for the company I work for. The users are not computer science inclined, so I don't think we'll have that much trouble. But there have been a couple users that have attempted a sql injection, with no success. That is why I have been asked to come up with a solution to the problem. I've included a link to the question asking for comments on my expression. http://stackoverflow.com/questions/1560471/would-anyone-like-to-test-myregular-expression-to-check-for-sql-injection-and-scr Thanks for your help. – Oct 13 '09 at 14:12
1

@Josh H. How can you have users that are "not computer science inclined" that are also attempting SQL injection attacks? That seems pretty computer science inclined to me :P – Jiaaro Aug 11 '10 at 21:37

score 3 · Answer 2 · answered Oct 13 '09 at 13:42

3

You could prevent the default behavior and stop the event propagation then do this.focus() in the handler. http://docs.jquery.com/Events/jQuery.Event . Any event manipulation should be done before any event handling code.

answered Oct 13 '09 at 13:42

illvm

1,336
13
28

illvm, thanks for the link. Calling the event method stopPropagation() worked perfectly for the desired functionality. Now to decide if regex is appropriate for this type of validation. Thanks again. – Oct 13 '09 at 14:18

score 2 · Answer 3 · answered Feb 19 '13 at 07:26

I had to deal with something similar - a javascript blur handler that was triggering itself in a kind of infinite loop;

Solution was:

var inBlur = false;
jQuery('#the_input_element').blur(function(){
    if (!inBlur) {
        inBlur = true;
        jQuery('#some_other_input_element').focus();
        inBlur = false;
        }
    });

I know this doesn't answer the exact question asked, but it addresses the topic (Stopping the jQuery blur event within the blur function) so it might be useful for someone.

score 1 · Answer 4 · answered Oct 13 '09 at 13:35

1

Isn't it just to set

$(this).focus();

inside of your blur function somewhere?

answered Oct 13 '09 at 13:35

EmKay

1,089
1
13
28

I have tried "$(this).focus();" with no success. I am using FF3, do you know if that works in FF3? – Oct 13 '09 at 13:40
I just tried it in IE and it works perfectly. So apparently it's a FF3 issue. Does anyone know a work around? I think I have read something about setting a timeout. – Oct 13 '09 at 13:43

score 0 · Answer 5 · edited May 23 '17 at 11:47

0

I think that the best way for you to prevent SQL Injection without rewriting the legacy code to use parameters (this question, which is now closed) would be to double up all quotes and backslashes (replace ' with '' and \ with \\).

Note that I'm not an expert in SQL syntax, so I cannot guarantee that this would be impenetrable.

edited May 23 '17 at 11:47

Community

1
1

answered Oct 13 '09 at 16:39

SLaks

868,454
176
1,908
1,964

Stopping the jQuery blur event within the blur function

5 Answers5