hello all, i was just wondering if anyone could help here:

i have made an input form and include many text inputs like name and address. however i want to be able to gaurd against someone putting in malicious code or SQL statements....

thought about using Regular Expression but then that matches data doesn't it? so that would only work if i wanted them to put in malicious code?

thank you

is it pointless to try to protect again injections client side? All of that should be done server side.

pretty relaxed attitude to security but if thats your advice.....great!

He isn't saying don't do it, he means do all your sql protection server side. Because a hacker most likely wont be using your flash interface to screw you over.

If you have a web method with a string as a variable that your method simply executes on a sql server, then a hacker can simply send a request to that method to delete your data or do whatever he/she wants.

The safest way to protect against this is to use only stored procedures and have a seperate method for each stored procedure.

There's nothing wrong with using input validation to protect against malicious code on the client side, but you'd better put it on the server too because that's where it counts!

pretty relaxed attitude to security but if thats your advice.....great!Yea. your ignorance makes me the ass :rolleyes:

ok, before all the girls get chatting round the water tank about the big new bully, all i'm trying to say is that i have always been taught that any client-side validation that can be done is an added advantage because if carried out on the client-side you don't have to send it back to the server and wait for a response of the error, so it is just good practice to save time for the end-user.

so i can take it from this response that you don't carry out any client-side validation? in which case, thank you for your opinion but i want to do client-side so you obviously can't help me!

Obviously we cant...

Since this is going no where,

@Pleh, where is the open source right click code your promised several months ago:D

Now its time for the real bully to step in...fear the pink....:o

Injection protetion is best handled server-side. Client side is nothing more than a gateway to server. Most people attack the server directly and bypass the client-side all together. I wont go so far as to say client-side injection security is a waste, but I wouldnt focus too heavily on it. Also consider, they can decompile the project, if applicable, and see exactly what you're doing to prevent any attacks on the client side. Exit stage right..no no you're other right! :eek:

i have always been taught that any client-side validation that can be done is an added advantage because if carried out on the client-side you don't have to send it back to the server and wait for a response of the error, so it is just good practice to save time for the end-user.

That's certainly a helpful optimization.

Anyway, to go back to your original question, take a look at the Flex validators. Regular Expressions could certainly be a useful tool to get things working. I work with them only from time to time, so my knowledge tends to fade. You asked if regular expressions can only "match", but that's not the case, I'm pretty sure there's some sort of "negative" operator that should do the opposite.

*looks it up*

Yep. Using ^ will allow you to negate things. I frequently visit regular-expressions.info (http://www.regular-expressions.info/) to refresh my memory on the subject. That would be a good place to start. Everything else is just a Google away.

http://regexlib.com/default.aspx

and

http://regexlib.com/RETester.aspx

might be of some use

@FlashGordon

No one seemed that interested so i didnt bother posting it, but if you want it here it is...

ah thank you very much, i thought there would be some kind of 'negative' operator and tried the tested "!" but to no avail. Thanks for the links guys!

@FlashGordon

No one seemed that interested so i didnt bother posting it, but if you want it here it is...

great!