Javascript RegEx

triggerthat

triggerthat

triggerthat

Soldato
Joined
26 Aug 2005
Posts
6,901
Location
London
Hi guys,

I am writing some code that checks if a form contains any DDL keywords such as CREATE, ALTER, DROP etc. However, being new to JS its abit tricky.

Code: 
if(queryOne.value.match("create|alter|drop"))
	alert("Cannot use DDL in query mode");
	return false;

Unfortunately that doesn't work. What's the syntax for regular expressions in JS and how would I be able to go about finding those keyword patterns?
 
Code: 
if ( /(create|alter|drop)/.test(someString) ) {
    alert("ARGH");
    return false,
}

JS has integrated regex you should use them tbh
 
you can either do as robmiller says, and use the intergrated method or you can also create a regex object "the old fashioned way" should you be so inclined:
Code: 
var regex = new RegEx('/create|drop|delete/', 'i');
if (string.match(regex))
{
    alert("blah");
}
but don't forget JavaScript != secure. It can be switched off, so you need to perform the same validation (or preferably stronger validation) at the server end.
 
pinkaardvark said:
you trying to block sql injection attacks?
Click to expand...

Sort of. I want to prevent users selecting a 'query' mode SQL statement and using a alter statement - such as an QL injection.

I am programming a Sevlet using the SQL package and the statement class. Unfortunately I have to use a method for each type of query (one for DDL - executeUpdate() and the other called executeQuery()).

DJJ - Don't worry - its been protected :) Just want some JS to make it more userfriendly.
 
If I use this:

Code: 
if(queryOne.value="Query" && queryOne.value.match('/create|alter|drop/'))
		alert("Cannot use DDL in query mode");
		return false;

The form turns empty when I press Submit and there' no alert. Any idea?
 
does your function look like this?

Code: 
function whatever() {
    if(queryOne.value="Query" && queryOne.value.match('/create|alter|drop/')) {
        alert("Cannot use DDL in query mode");
        return false;
    }
    return true;
}

and your calling it using with your form something like this

Code: 
<form action="blah.php" method="post" id="f" name="f" onsubmit="return whatever();">

?? :)
 
ah well, i saw the missing curly braces in your post and i thought you might have missed the blindingly obvious.... :o

but also, you only have one = in your if statement. you need 2... :p
 
Code: 
function regexcheck(value)
{
    regex = new RegExp('/(create|update|delete)+/', 'i');

    if (value.match(regex)) return false;

    return true;
}
or:
Code: 
function regexcheck(value)
{
    return value.match(/(create|update|delete)+/i);
}
though I can't remember if the /i will work.
 
Still doesn't like it.

Code: 
		var regex = new RegExp('/(create|update|delete)+/');
   			if (queryOne.value.match(regex)) 
			{
				alert("MEH");
				return false;			
			}
 
QueryOne is the SQL input textbox.

Ignore the mess of the code:

Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Administration Control Panel</title>
<link rel="stylesheet" type="text/css" href="admin_logged.css" />
<link rel=\"stylesheet\" type="text/css" href="admin_logged.css"/>
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
	function validate(form)
	{
		with (document.control){
		
			if(sqlQueryType.value=="") {
				alert("Query type not defined"); /* ensure SQLType is defined */
				return false;
			}
			
			if(queryOne.value =="") {
				alert("SQL statement is empty"); /* ensure SQL statement is not empty */
				return false;	
		  	}
			
			var regex = new RegExp('/(create|update|delete)+/');
   			if (queryOne.value.match(regex)) 
			{
				alert("MEH");
				return false;			
			}
		}
	} 
//-->
</SCRIPT>

<body>

<div id="wrapper"><!--open wrapper -->

<div id="header"><!-- open header -->

		 <img src="/kuj/images/olympic_home.GIF" height="77" width="143"/> 
		 <img src="/kuj/images/olympic_head.gif "/> 
		<!--<img src="/kuj/images/olympics2012logo.gif""/> -->
<div id="header-bottom"><!-- open header-bottom -->
	<ul>
		<a class="one" href="http://localhost:8080/kuj/Home">Home</a> |
		<a class="one" href="javascript:history.go(-1)">Go Back</a> |
		<a class="one" href="">Contact Us </a>| 
		<a class="one" href="">About Us</a> |
	</ul>

	
</div><!-- close header-bottom -->
  </div><!-- close header -->
	
<div id="main"><!-- open main -->
	<div id="main2"><!-- open main2 -->

	<div id="rightbar"><!-- open rightbar -->
		<div class="inner"><!-- open inner class "site search" -->
			<h3>Welcome, Administrator.</h3>		
		</div><!-- close inner class "site search" -->			
	</div><!-- close rightbar -->	
	 
	<div id="leftbar"><!-- open leftbar -->
		<ul id="nav"><!-- open nav -->
		<li class="one"><a href="#">Event Information</a></li>
		<li class="one"><a href="#">Directions</a></li>
		<li class="one"><a href="#">Olympic Images</a></li>
		</ul><!-- close nav -->
	</div><!-- close leftbar -->

	<div id="content"><!-- open content -->
	
	<div class="inner"><!-- open class inner "recent events" -->
		<h3>Administration Control Panel </h3>
		<h3>Instructions</h3>
			<p>Around eight million tickets will be available for the Olympic Games, and we have the right ticket for you!</p>
			<p>&nbsp;</p>
			<p>&nbsp;</p>
			
		<form name="control" method="POST" onsubmit="return validate(this)" action="http://localhost:8080/kuj/AdminResponseServlet">
		<table align="center" border="0" bordercolor="blue">

		<tr>
			<td> Product Name:  </td>
			<td> <input type="text" name="driverDetails" size="40" value=MySQL> </td >
		</tr>
		<tr>
			<td> Version: </td>
			<td> <input type="text" name="database" size="40" value=mysql-connector-java-3.0.10-stable ( $Date: 2004/01/13 21:56:18 $, $Revision: 1.27.2.33 $ )> <td + >
		</tr>
		<tr>
			<td> Database: </td>
			<td> <input type="text" name="database"  size="40"  ></td>
		</tr>
		<tr>
			<td> User Name: </td>
			<td> <input type="text" name="username"></td>
		</tr>
		<tr>
			<td> Password: </td>
			<td><input type ="password" name ="password"> </td>
		</tr>
		<tr>
			<td> Type of execution: </td>
			<td>
				<select name="sqlQueryType">
					<option value=""></option>
					<option value="Query">Query</option>
					<option value="Alter">Alter</option>
				</select>
			</td>
		</tr>
		<tr>
			<td>SQL:</td>
			<td> <textarea rows="5" cols="50" name="queryOne"></textarea></td>
		</tr>
		<tr>
			<td colspan="2">
			<p align="center"><input type="submit"/> </td>
		</tr>
	</table>
	</form>
		</div><!-- close class inner "offers" & "recent events" -->	
	</div><!-- close content -->
<div id="clearone">&nbsp;</div><!-- close clearone -->	

</div><!-- close main2 -->
  </div><!-- close main -->

	<div id="footer"><!-- open footer -->
		<p>Copyright 2007 - all rights reserved</p>
	</div><!-- close footer -->	
</div><!-- close wrapper -->				
</body>
</html>
 
You must log in or register to reply here.
Back
Top Bottom