Form Input Validation, best attack!

Lemonboi

I've been playing around with my forms, well the validation of entered input. I've been using regular expressions to allow certain characters, but the more and more I push the code to the limits, the more I find weaknesses.

My intent is to stop/prevent malicious code, that code which could lead to vulnerabilities in the access of my data specifically in the database.

The problem is the more I go on, the more I figure out that actually writing a regular expression to permit certain characters etc gets more and more complicated.

Is there a way to go at this from a different angle maybe? Whilst I find many regular expressions out on the net in tutorials, when I push those, I generally find the same vulnerabilities in them as well, they have their gaps. Is it possible to use defence but also an offence in a way, in stead of going out saying what not to have, looking for things /combinations in particular?

ixalmida

Seems to me like someone needs to make a regular expression generator and post it on the web as this is one of the more complicated bits of code to write.

NogDog

I find it hard to give a general answer, as it is very much a situational thing. On the one hand, "malicious code" is only an actual problem if you do something unsafe with it. For instance, as far as SQL injection attacks, they won't succeed if you use the applicable escaping or parameter binding mechanism for the DBMS in question (e.g. mysql_real_escape_string()). If you are concerned about JavaScript injection, it need not be an issue for any data which you filter through strip_tags() or htmlspecialchars() when echoing it into your [X]HTML output.

For other input validation/filtering needs, don't forget that there are methods other than regular expressions available to you, such as the [man]ctype[/man] and [man]filter[/man] extensions.

When none of the above built-in functions satisfies your needs, then consider the regular expression route. Use the [man]PCRE[/man] functions, and take note of the several escape sequences you can use for various classes of characters. You then need to decide in each instance if it is better to define a pattern defining what is allowed, or what is not allowed.