views:

544

answers:

4

I have a textbox that I am using the blur event to validate the text with a regular expression. If it fails I want the textbox to keep the focus. I know in regular javascript you can say return functionName(); in the onblur event within the actual html control. Is there a way to do something similar when binding the blur event within the $(document).ready() function. Or simply set the focus on "this". Thank you for the help.

$(document).ready(function() {");
    $('input:text.sqlValidation').blur(function() {");
        var sqlInjectionRegX2 = /...Regex.../;
        var value = this.value;
        if (sqlInjectionRegX2.test(value)) {
            alert('The text you have entered may contain malicious code and can not be submitted.');
            this.value = '';
            return false;
        }
        else return true;
    });
});
+1  A: 

Isn't it just to set

$(this).focus();

inside of your blur function somewhere?

EmKay
I have tried "$(this).focus();" with no success. I am using FF3, do you know if that works in FF3?
Josh H.
I just tried it in IE and it works perfectly. So apparently it's a FF3 issue. Does anyone know a work around? I think I have read something about setting a timeout.
Josh H.
+4  A: 

Using regular expressions in Javascript to prevent SQL injection is the mother of all (or at least most) evil. DO NOT DO THIS!!! Instead, use parameters in your server side code. If you don't know how, ask us. If you try to prevent SQL Injection the way you're doing it it will not work and you are liable to lose data, or worse. All your enemy needs to do is disable Javascript (or craft his own HTTP request) and your filter will be useless. In addition, I don't think it's possible to fully block SQL injection with a single regex.


To answer the question, try writing return false or event.preventDefault() in the handler. However, it won't work perfectly; it is not possible to fully control focus like this in Javascript.

SLaks
I agree, but you could do both client- and server-side prevention -- though I'm not sure why you'd want to improve the user experience for someone trying to do a SQL injection.
tvanfosson
I am actually using the regular expression to check for sql injection. But the expression I have created checks for the actual sql statement, i.e. "a'; Select * From Users;" or "a'; Drop Table Users;" So far my testing has shown that it works correctly. But for a developer to find fault in his own code is like a parent saying they have an ugly baby. :) So I'll include my expression if anyone would like to try it and let me know if they find. Thanks for your help.
Josh H.
@tvanfosson: Doing this on the server is equally evil. No regex can perfectly block SQL injection, and there are legitimate reasons to do SQL injection (eg, someone named `Harry O'Neill`)
SLaks
And I am actually doing both client and server side validation.And unfortunately the expression is to long to post here. So I'll add a new "question" asking if anyone would like to test the expression and let me know of the results.
Josh H.
@Josh H: Any possible regex cannot completely block SQL injection.
SLaks
This is for an internal app for the company I work for. The users are not computer science inclined, so I don't think we'll have that much trouble. But there have been a couple users that have attempted a sql injection, with no success. That is why I have been asked to come up with a solution to the problem. I've included a link to the question asking for comments on my expression.http://stackoverflow.com/questions/1560471/would-anyone-like-to-test-myregular-expression-to-check-for-sql-injection-and-scrThanks for your help.
Josh H.
@Josh H. How can you have users that are "not computer science inclined" that are also attempting SQL injection attacks? That seems pretty computer science inclined to me :P
Jiaaro
+1  A: 

You could prevent the default behavior and stop the event propagation then do this.focus() in the handler. http://docs.jquery.com/Events/jQuery.Event . Any event manipulation should be done before any event handling code.

illvm
illvm, thanks for the link. Calling the event method stopPropagation() worked perfectly for the desired functionality. Now to decide if regex is appropriate for this type of validation. Thanks again.
Josh H.
A: 

I think that the best way for you to prevent SQL Injection without rewriting the legacy code to use parameters (this question, which is now closed) would be to double up all quotes and backslashes (replace ' with '' and \ with \\).

Note that I'm not an expert in SQL syntax, so I cannot guarantee that this would be impenetrable.

SLaks