Cleaning a blacklisted character from a variable

Cleaning a blacklisted character from a variable (Full Version)

All Forums >> [Web Development] >> ASP, PHP, and Database

Message

hzarabet -> Cleaning a blacklisted character from a variable (10/27/2009 9:03:33)
Hi All: It has been a long time since I have been here and hope all are well! I have a function that blocks blacklisted characters when a Request passes through it. It will redirect the page if it catches one. But in 1 case the page must always completely process (payment processing page) so I want to cleanse the variable (in this case it is not malicious) before it hits the function so it doesn't trigger the redirect. Using Replace(Request.Form("Problem_Variable"),"VARCHAR","") gives me the following error: Cannot use parentheses when calling a Sub How do I alter the Request.Form so the altered Request is read by my function? Thanks, Howard

bobby -> RE: Cleaning a blacklisted character from a variable (10/27/2009 11:34:47)
I'm not sure why your code is not working... it looks right to me, but it's been a while. You could try reading the form value into a variable, then using REPLACE... but that could allow malicious code into your string...

hzarabet -> RE: Cleaning a blacklisted character from a variable (10/27/2009 12:00:10)
I thought of doing as you said, but that would not stop the function from reading the original REPLACE.FORM.

ou812 -> RE: Cleaning a blacklisted character from a variable (10/27/2009 12:46:19)
I don't believe you can use a request.form function inside of the replace function. I would do as Bobby suggested: <EDIT>And yes you can use a request.form inside! I was thinking from the error message that you couldn't</EDIT> temp=request.form("problem_variable") x = Replace(temp,"VARCHAR","") Then check the variable x for whatever you're doing.

bobby -> RE: Cleaning a blacklisted character from a variable (10/27/2009 13:00:13)
... the VBScript should allow exactly what you are trying to do. I'm not sure why it is not working. When I googled around to see if I was wrong I saw several examples with perentheses shown as you have them. Since it isn't working, I would drop it into a variable, then scrub the variable before passing on the result.

hzarabet -> RE: Cleaning a blacklisted character from a variable (10/27/2009 13:06:51)
OK, but where I am losing this is in the function itself. I can set the variable to "X" and then use REPLACE on that as you suggest, but the function is still going to process the original Request.Form("problem_variable"). I do not want the function to disregard these characters all the time, just in certain instances which is why I want to clean out the request before it hit the function.

ou812 -> RE: Cleaning a blacklisted character from a variable (10/27/2009 13:16:53)
Have you tried setting your function equal to something? test = Replace(Request.Form("Problem_Variable"),"VARCHAR","") I tried your code real quick and get the same error. But when I set it equal to something it works fine. And, I'm still not quite certain what you're trying to do logically. Maybe post some of the surrounding code too?

bobby -> RE: Cleaning a blacklisted character from a variable (10/27/2009 13:17:55)
now I'm confused... but that isn't hard to do... I would suggest only using the variable and raplace method when you want to do it then... don't bother dropping it into a variable if you don't want to any other time. If you can get it to work using a variable for the form data and scrubbing that... then use that sequence anywhere you want to scrub the characters from the form data... if you don't want to srub it, don't.

hzarabet -> RE: Cleaning a blacklisted character from a variable (10/28/2009 15:39:51)
OK, you have blacklist array with a bunch of malicious words/characters. Then the function: Function CheckStringForSQL(str) On Error Resume Next Dim lstr ' If the string is empty, return true If ( IsEmpty(str) ) Then CheckStringForSQL = false Exit Function ElseIf ( StrComp(str, "") = 0 ) Then CheckStringForSQL = false Exit Function End If lstr = LCase(str) ' Check if the string contains any patterns in our ' black list For Each s in BlackList If ( InStr (lstr, s) <> 0 ) Then CheckStringForSQL = true Exit Function End If Next CheckStringForSQL = false End Function ________________________________________________ The you have the part where you run through the REQUEST.FORM: For Each s in Request.Form If ( CheckStringForSQL(Request.Form(s)) ) Then iRequest = Request.Form(s) Response.Redirect(ErrorPage) End If Next If I do as you say and set up a new variable, this will not prevent the above script from still reading the culprit REQUEST.FORM, or will it?

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.078125