Solved

Regular expression for validating and/or filtering free text forms on the web?

Posted on 2010-09-03
5
361 Views
Last Modified: 2012-05-10
As I try to come up with such a thing, it strikes my mind that someone might have done it before?

I think of a Text Area in a web form - the user should be able to write as freely as possible without posing a security threat!

Example (php style):
$pattern="/^[\w\s]+$/";

-This would be a bit to hard on the user, as it'd only allow letters, numbers, whitespace and _ !

-Line breaks should also be allowed
0
Comment
Question by:davidsperling
  • 2
  • 2
5 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597291
"\s" includes newlines, carriage returns, and vertical tabs in addition to spaces.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597306
Perhaps you should modify your pattern to check for what isn't allowed--namely the negation of what you currently have:
$pattern="/[^\w\s]/";

Open in new window

0
 
LVL 4

Author Comment

by:davidsperling
ID: 33597764
This is what I have right now in the beautiful language php (with ZF)..

/**
 * A validator to apply on general free text fields to avoid XSS etc...
 * http://framework.zend.com/manual/en/zend.validate.writing_validators.html
 */
class validator_ZendValidateFreeTextGeneral extends Zend_Validate_Abstract
{
    const ILLEGALTEXT='illegaltext';
    protected $_messageTemplates = array(
        self::ILLEGALTEXT => "Text contains forbidden characters."
    );

    public function isValid($value)
    {
        $pattern="/^[\w\s!?\-\.,&;åäöÅÄÖ]+$/";
        if(!preg_match($pattern, $value))
        {
            $this->_error();
            return false;
        }

        return true;
    }

}

Open in new window

0
 
LVL 13

Accepted Solution

by:
Carl Bohman earned 500 total points
ID: 33597802
>the user should be able to write as freely as possible without posing a security threat

There are a lot of different threats, depending on how you use the data.  In most cases of free-form text, you are safest by providing protection at the point where the data is being used.  Here are some examples:

If you are going to be adding the text to a URL, it will need to be escaped so that characters like =, &, ?, and white space (especially carriage return) don't cause issues.

If you are going to be displaying the text on a web page, then you need to watch out for characters like <, >, and &.

If you are going to be inserting the data into a database, then you need to worry about quote characters (' and ") that could be used to break out of the SQL statement and allow the user to run arbitrary SQL statements.  (Of course, there are better ways of protecting against this type of attack, such as using parameterized SQL statements.)

Unless you know exactly how the data is going to be used, it is difficult to determine a generic filter at time of entry.  You may also be leaving yourself open to attacks that figure out a way to bypass your validation routine.

If your intention really is to have free-form text, I would recommend sanitizing the data as needed at every point where you are using it.
0
 
LVL 13

Assisted Solution

by:Carl Bohman
Carl Bohman earned 500 total points
ID: 33597864
Some basic things not allowed by your code:
and/or
(parenthetical statements)
$currency
percentages%
simple+math=equations
"favorite quotes"
posessives: Mary's
contractions: don't
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question