aspose file tools
The moose likes HTML, CSS and JavaScript and the fly likes Validating user input: checking for illegal characters Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Validating user input: checking for illegal characters" Watch "Validating user input: checking for illegal characters" New topic

Validating user input: checking for illegal characters

Jill Smythe

Joined: Jan 27, 2004
Posts: 11
Hi all,
I'm trying to validate user input gathered from a form with JavaScript, but am having difficulty with one field. I need to prevent a user entering any illegal characters in the text box. These illegal characters are:
white space [ ] ( ) = , " / ? @ : ;
So, for example the following is not allowed: group(1, 2?)
I think I should do this with a regular expression and have something like the following:
function checkInput(input) {
var illegalChars = new RegExp(/[\s[]()=,"/?@:;]/);
return input.test(illegalChars);
but would really appreciate it if someone who really knows JavaScript could help me out with this RegExp!
Thanks in advance,
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 31571

I think you need to separate each special character with the or symbol. For example, [|]|(|) etc. Also, you need to escape the ? with \? because ? has a special meaning in regular expressions.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Tom Blough
Ranch Hand

Joined: Jul 31, 2003
Posts: 263
Jill, I'm a firm believer in the paradigm that it is better to PREVENT the user from making a mistake instead of CORRECTION them when they do. To that end, the following function only allows a limited set of character to be entered into a text box or other input field:

Some examples of it's use:

The current function is case insensitive, some minor modifications will make it case sensitive if you need that capability.

Tom Blough
[ February 13, 2004: Message edited by: Tom Blough ]

Tom Blough<br /> <blockquote><font size="1" face="Verdana, Arial">quote:</font><hr>Cum catapultae proscriptae erunt tum soli proscripti catapultas habebunt.<hr></blockquote>
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 31571

Would you still need to check at the end that the textbox contains only valid characters? What if the user typed ctrl-v to get the contents of the clipboard?
Tom Blough
Ranch Hand

Joined: Jul 31, 2003
Posts: 263
Good point, Jeanne! You would need to implement an onChange routine that would filter the pasted input as well.
Yuriy Fuksenko
Ranch Hand

Joined: Feb 02, 2001
Posts: 413
Be carefull about on change - there is a funny issue with it on IE
Let say you have the following code:
<input name="x" onchange="this.value=3;">
If you type, for example 2 in this field, than click somewhere else, onchange fires, and changes it to 3. So, you go to that field again, and delete this three, and type something, and click somewhere else - you would expect your onchange to fire. It will, for everything except 2 !!!. Somewhere deep inside IE doesn't take changes your script made into account to define does the value chnged or not.
By the way, personally, I would prefer to do validation server side.
Here is a reason - let say somebody out of "curiosity" sets values on your form directly using javascript - what would your server do?
If you server does not check what goes to a database, it could be a security hole. And if you validate it on server - why would you do it twice?
Simple example:
Let say you have a field named "City".
On server side you create a SQL like this:
"Select * from users where city='" + city + "'";
Now, user types in browser addres bar:
javascript:document.forms[0].City.value="';delete from users where city like '%";document.forms[0].submit();
Your query will look like:
"Select * from users where city='';delete * from users where city like '%'"
[ February 16, 2004: Message edited by: Yuriy Fuksenko ]
I agree. Here's the link:
subject: Validating user input: checking for illegal characters