3

We need to restrict user input in a classic ASP web site to the characters allowed by the 00280 code page of IBM System i.

Is there a way to do it in a sane way besides having a (JavaScript|VBScript) function checking every character of an input string against a string of allowed characters?

A basic classic ASP function I thought of:

Function CheckInput(text, replacement)
    Dim output : output = ""
    Dim haystack : haystack = "abcd.. " ' Insert here the allowed characters.
    Dim i : i = 0
    For i = 1 To Len(text)
        Dim needle : needle = Mid(text, i, 1)
        If InStr(haystack, needle) = 0 Then
            needle = replacement
        End If
        output = output & needle
    Next
    CheckInput = output
End Function

Would - in my function - a RegExp be an overkill?

Albireo
  • 10,977
  • 13
  • 62
  • 96
  • What is the reason causing you need to restrict the characters? – WarrenT Feb 27 '12 at 22:14
  • @WarrenT: We need to pass the data to an AS400 system, and if a user enters a character not in that code page, the process blows up. We can remove the invalid characters before passing the data, but that would be an awful solution, as the user is unaware of the changes being made. – Albireo Feb 28 '12 at 09:58

2 Answers2

1

The short answer to your first question is: No. To your second question: RegEx might not help you here because not all RegEx implementation in browsers will support the characters you need to test and neither does VBScript version of RegEx.

Even using the code approach you are proposing would need some very careful thought. In order to be able to place the set of characters you want to support in as string literal the codepage that you save the ASP file would need to be one that covers all the characters needed or alternatively you would need to use AscW to help you build a string containing those characters.

One slightly simpler approach would be to use Javascript and have the page charset and codepage set to UTF-8. This would allow you to create a string literal containing anyset of characters.

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
  • Please tell me you're not suggesting he rely solely on _browser_ validation. – Clockwork-Muse Feb 27 '12 at 16:47
  • I kinda knew it, too bad. Regarding the code page of the page, we're already using UTF-8 so we're covered. – Albireo Feb 27 '12 at 20:04
  • @X-Zero: I'm offering the choices, at the end of the day its up to the developer to decide whether additional belts and braces server-side validation is a requirement. Tell me is server-side validation an absolute requirement of all apps regardless of their purpose, deployment and/or the available development resource? – AnthonyWJones Feb 28 '12 at 08:40
  • @AnthonyWJones - Under some heavily controlled deployment environments (say, thinclients) perhaps not. However, the OP listed this as being part of a (assumed public-facing) website - input in that situation should **NEVER** be trusted. Wihout an explicit reasoning for the restriction, it would be better to err on the side of caution, and have the server verify valid input. – Clockwork-Muse Feb 28 '12 at 16:35
  • @X-Zero: In principle I agree but "better" is yet another value judgement which is the developers call. The developement of this server-side code is not without cost. – AnthonyWJones Feb 28 '12 at 22:20
  • It's always a balance between costs and benefit: if omitting server validation can at worst cause minor nuisances, and implementing it would cost tons of resources, it can be omitted. However, since we have to accept user input from untrusted users and invalid input will break our shipping processes, we'll have to implement double validation... – Albireo Feb 29 '12 at 11:12
0

Since it is generally not considered secure to rely on browser validation, you should consider changing your IBM i (formerly OS/400) application interface to accept UCS-2 data, and perform any necessary validation and conversion at the server side.

WarrenT
  • 4,502
  • 19
  • 27
  • That's not a viable solution, it would have a huge impact on our system. Moreover, we had an hard time simply getting the information about the code page in use from the EDP department, having them change the code page everywhere it's not realistic. – Albireo Feb 29 '12 at 10:47
  • If it's not realistic, then the app shouldn't be made available for public access. First, there's no reason it should cause the process to "blow up". The process should simply note the invalid data and either reject the transaction or log it for review. If it doesn't work that way, new developers are needed or current developers need training. Second, you can't force a character set on systems you don't control. There is no way to be sure that a remote system can even use the same character set. – user2338816 Apr 05 '14 at 13:14