Validate ASP Input
Many sites use input from a user to call other code or to build Structured Query Language (SQL) statements directly. In other words, the sites treat the input as valid, well-formed, non-malicious input. However, this user input should not be trusted. There are a number of attacks in which user input is treated incorrectly as valid input. This common oversight could be used to gain access to the server or cause damage. You should always check all user <Form> input and query strings before passing them on to another process or method call that might use an external resource, such as the file system or a database.
You can check the text with the regular expression capabilities of Microsoft JScript® version 5.0 and Microsoft Visual Basic® Scripting Edition version 5.0 VBScript).
To check for characters
Strip a string of all invalid characters (all characters except for 0-9, a-z, A-Z, and the underscore [_]). For example:
Set reg = New RegExp
FakePre-f62fddaf00354a2e94ed3d232929753c-a92a4cc9861b4d3f97633e746197873f FakePre-59ca2ab9e6424799a963a2dbc3cd1e89-116188bd1aba41c2860662a7541c5c61
Strip all text after the OR operator (|). For example:
Set reg = New RegExp
FakePre-c47b791b98fd4e85bf113f9c2dcd3a69-714b2086dece4a7783b6396be66c0f7b FakePre-bf4a02485dc548cab863641b3a80baa7-b7a776693178404ebc4a60453007d33c
When using the scripting file system object to open or create files, where the file name is based on user input, the user might attempt to open a serial port or printer. For that reason, strip files names that are not valid. For example, the following JScript code strips out file names that are not valid:
var strOut = strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");
Did you find this information useful? Please send your suggestions and comments about the documentation to acdocs@microsoft.com.