Harshil
Harshil

Reputation: 243

RegEx pattern to validate String

Let me make my question Simple what I want is I am using white list Regex pattern to avoid xss and sql injection so as my allowed character in string is [A-Za-z0-9,()[]{}\"\:./_\s] and I want to restrict occurrence of -- in any coming request from client but it should allow - or jjdfasd-dsfads-12321 string

In short it below test cases should run successfully

import java.util.regex.Pattern;


public class RegExTest {

private static Pattern xssAttackPattern;

private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*";


public static Pattern getXSSAttackPattern1() {
    xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
    return xssAttackPattern;
}

public static boolean hasXSSAttackOrSQLInjection1(String value) {

    if (getXSSAttackPattern1().matcher(value).matches()) {
        return true;
    }
    return false;
}



public static void main(String arg[]) {

    System.out.println(" :::::: Regular Expression ::::::");
    regexTest();

}

private static void regexTest() {

    String str1 = "-dsfdsfddsfd2112212s";
    String str2 = "--dsfdsfddsfd2112212s";
    String str3 = "-dsfdsfdd-sfd2112212s";
    String str4="http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
    String str5="(.:[]{}";
    String str6="--";
    String str7="-";

    System.out.println("String::" + str1 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str1));
    System.out.println("String::" + str2 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str2));
    System.out.println("String::" + str3 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str3));
    System.out.println("String::" + str4 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str4));
    System.out.println("String::" + str5 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str5));
    System.out.println("String::" + str6 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str6));
    System.out.println("String::" + str7 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str7));
}

}

Upvotes: 2

Views: 5967

Answers (1)

Sergey Kalinichenko
Sergey Kalinichenko

Reputation: 727017

You current regex matches

  • a string consisting of a single - character, or
  • a string consisting of a sequence of letters, digits, and some special characters, or
  • an empty string

If you would like to change it to allow zero or one dash - only at the beginning of the string, remove the OR character | from your expression; if you would like to match at most one dash anywhere in the string, change expression to

[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*

EDIT 1: If you need to avoid two consecutive dashes, you can use this expression with negative lookbehind:

([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*

The (?<!-)- part of the expression above matches a dash unless it is preceded by another dash.

EDIT 2: If you have strings of 10000+ length, a positive regex solution is not as good as a negative one. Instead of looking for myString.matches(positiveExpr), it is much more efficient to look for !myString.matches(negativeExpr), and use this expression for your negative match. In other words, instead of specifying an expression defining the string that you want, you could define a much simpler expression for the string that you do not want:

[^A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|--

NOTE: Sanitizing your strings is not the best way to avoid SQL injection attacks; using parameterized statements is.

Upvotes: 2

Related Questions