Validate ASP Input

Many sites use input from a user to call other code or to build Structured Query Language (SQL) statements directly. In other words, the sites treat the input as valid, well-formed, non-malicious input. However, this user input should not be trusted. There are a number of attacks in which user input is treated incorrectly as valid input. This common oversight could be used to gain access to the server or cause damage. You should always check all user <Form> input and query strings before passing them on to another process or method call that might use an external resource, such as the file system or a database.

You can check the text with the regular expression capabilities of Microsoft JScript® version 5.0 and Microsoft Visual Basic® Scripting Edition version 5.0 VBScript).

To check for characters

  1. Strip a string of all invalid characters (all characters except for 0-9, a-z, A-Z, and the underscore [_]). For example:

    Set reg = New RegExp
    reg.Pattern = "\W+" ' One or more characters which are
    			 NOT 0-9, a-z, A-Z, or '_'
    strUnTainted = reg.Replace(strTainted, "")
  2. Strip all text after the OR operator (|). For example:

    Set reg = New RegExp
    reg.Pattern = "^(.+)\|(.+)" ' Any character from
    			 string start to an '|' operator
    strUnTainted = reg.Replace(strTainted,"$1")
  3. When using the scripting file system object to open or create files, where the file name is based on user input, the user might attempt to open a serial port or printer. For that reason, strip files names that are not valid. For example, the following JScript code strips out file names that are not valid:

    var strOut =

Did you find this information useful? Please send your suggestions and comments about the documentation to