tags:

views:

544

answers:

4
+2  Q: 

Stopping the jQuery blur event within the blur function.

I have a textbox that I am using the blur event to validate the text with a regular expression. If it fails I want the textbox to keep the focus. I know in regular javascript you can say return functionName(); in the onblur event within the actual html control. Is there a way to do something similar when binding the blur event within the $(document).ready() function. Or simply set the focus on "this". Thank you for the help.

$(document).ready(function() {");
    $('input:text.sqlValidation').blur(function() {");
        var sqlInjectionRegX2 = /...Regex.../;
        var value = this.value;
        if (sqlInjectionRegX2.test(value)) {
            alert('The text you have entered may contain malicious code and can not be submitted.');
            this.value = '';
            return false;
        }
        else return true;
    });
});
+1  A: 

Isn't it just to set 

$(this).focus();

inside of your blur function somewhere?

EmKay  2009-10-13 13:35:19
I have tried "$(this).focus();" with no success. I am using FF3, do you know if that works in FF3?
Josh H.  2009-10-13 13:40:45
I just tried it in IE and it works perfectly. So apparently it's a FF3 issue. Does anyone know a work around? I think I have read something about setting a timeout.
Josh H.  2009-10-13 13:43:02
+4  A: 

Using regular expressions in Javascript to prevent SQL injection is the mother of all (or at least most) evil. DO NOT DO THIS!!! Instead, use parameters in your server side code. If you don't know how, ask us. If you try to prevent SQL Injection the way you're doing it it will not work and you are liable to lose data, or worse. All your enemy needs to do is disable Javascript (or craft his own HTTP request) and your filter will be useless. In addition, I don't think it's possible to fully block SQL injection with a single regex.

To answer the question, try writing return false or event.preventDefault() in the handler. However, it won't work perfectly; it is not possible to fully control focus like this in Javascript.

SLaks  2009-10-13 13:40:48
I agree, but you could do both client- and server-side prevention -- though I'm not sure why you'd want to improve the user experience for someone trying to do a SQL injection.
tvanfosson  2009-10-13 13:47:43
I am actually using the regular expression to check for sql injection. But the expression I have created checks for the actual sql statement, i.e. "a'; Select * From Users;" or "a'; Drop Table Users;" So far my testing has shown that it works correctly. But for a developer to find fault in his own code is like a parent saying they have an ugly baby. :) So I'll include my expression if anyone would like to try it and let me know if they find. Thanks for your help.
Josh H.  2009-10-13 13:49:42
@tvanfosson: Doing this on the server is equally evil. No regex can perfectly block SQL injection, and there are legitimate reasons to do SQL injection (eg, someone named `Harry O'Neill`)
SLaks  2009-10-13 13:51:27
And I am actually doing both client and server side validation.And unfortunately the expression is to long to post here. So I'll add a new "question" asking if anyone would like to test the expression and let me know of the results.
Josh H.  2009-10-13 13:51:47
@Josh H: Any possible regex cannot completely block SQL injection.
SLaks  2009-10-13 13:52:24
This is for an internal app for the company I work for. The users are not computer science inclined, so I don't think we'll have that much trouble. But there have been a couple users that have attempted a sql injection, with no success. That is why I have been asked to come up with a solution to the problem. I've included a link to the question asking for comments on my expression.http://stackoverflow.com/questions/1560471/would-anyone-like-to-test-myregular-expression-to-check-for-sql-injection-and-scrThanks for your help.
Josh H.  2009-10-13 14:12:20
@Josh H. How can you have users that are "not computer science inclined" that are also attempting SQL injection attacks? That seems pretty computer science inclined to me :P
Jiaaro  2010-08-11 21:37:23
+1  A: 

You could prevent the default behavior and stop the event propagation then do this.focus() in the handler. http://docs.jquery.com/Events/jQuery.Event . Any event manipulation should be done before any event handling code.

illvm  2009-10-13 13:42:53
illvm, thanks for the link. Calling the event method stopPropagation() worked perfectly for the desired functionality. Now to decide if regex is appropriate for this type of validation. Thanks again.
Josh H.  2009-10-13 14:18:37
A: 

I think that the best way for you to prevent SQL Injection without rewriting the legacy code to use parameters (this question, which is now closed) would be to double up all quotes and backslashes (replace ' with '' and \ with \\).

Note that I'm not an expert in SQL syntax, so I cannot guarantee that this would be impenetrable.

SLaks  2009-10-13 16:39:02

related questions

Communicating between websites (using Javascript or ?)
Javascript Unit-testing?
How can I return a variable from a $.getJSON function
Is there an "exists" function for jQuery
Why do I receive a q[num] error when aborting a jQuery queue pipeline?
How do I fire an event when a iframe has finished loading in jQuery?
How to compare html entity with JQuery
Problems while submitting a UTF-8 form textarea with JQuery/AJAX
How do I get the coordinates of the caret in text boxes?
SimpleModal breaks ASP.Net Postbacks
How would you handle errors when using jQuery.ajax() ?
Where is the best jQuery "plugins" library on the web?
Where can I learn jQuery? Is it worth it?
Keeping key value pairs together in HTML <select/> with JQuery?
How to set encoding in .getJSON JQuery
What is a selector engine?
Escaping HTML strings with jQuery
jQuery AJAX vs. UpdatePanel
What's the best way to code a desktop application-like menu bar in Javascript?
Dynamic Alphabetical Navigation
Scrolling Overflowed DIVs with JavaScript
How do I add a pre tag inside a code tag with jQuery?
Graph visualization code in javascript?
Wrapping lists into columns
Interview Questions for an Intern