Reputation: 243
RegEx pattern to validate String
Let me make my question Simple what I want is I am using white list Regex pattern to avoid xss and sql injection so as my allowed character in string is [A-Za-z0-9,()[]{}\"\:./_\s] and I want to restrict occurrence of -- in any coming request from client but it should allow - or jjdfasd-dsfads-12321 string
In short it below test cases should run successfully
import java.util.regex.Pattern;
public class RegExTest {
private static Pattern xssAttackPattern;
private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*";
public static Pattern getXSSAttackPattern1() {
xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
return xssAttackPattern;
}
public static boolean hasXSSAttackOrSQLInjection1(String value) {
if (getXSSAttackPattern1().matcher(value).matches()) {
return true;
}
return false;
}
public static void main(String arg[]) {
System.out.println(" :::::: Regular Expression ::::::");
regexTest();
}
private static void regexTest() {
String str1 = "-dsfdsfddsfd2112212s";
String str2 = "--dsfdsfddsfd2112212s";
String str3 = "-dsfdsfdd-sfd2112212s";
String str4="http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
String str5="(.:[]{}";
String str6="--";
String str7="-";
System.out.println("String::" + str1 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str1));
System.out.println("String::" + str2 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str2));
System.out.println("String::" + str3 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str3));
System.out.println("String::" + str4 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str4));
System.out.println("String::" + str5 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str5));
System.out.println("String::" + str6 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str6));
System.out.println("String::" + str7 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str7));
}
}
Upvotes: 2
Views: 5967
Answers (1)
Reputation: 727017
You current regex matches
- a string consisting of a single
-character, or - a string consisting of a sequence of letters, digits, and some special characters, or
- an empty string
If you would like to change it to allow zero or one dash - only at the beginning of the string, remove the OR character | from your expression; if you would like to match at most one dash anywhere in the string, change expression to
[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*
EDIT 1: If you need to avoid two consecutive dashes, you can use this expression with negative lookbehind:
([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*
The (?<!-)- part of the expression above matches a dash unless it is preceded by another dash.
EDIT 2: If you have strings of 10000+ length, a positive regex solution is not as good as a negative one. Instead of looking for myString.matches(positiveExpr), it is much more efficient to look for !myString.matches(negativeExpr), and use this expression for your negative match. In other words, instead of specifying an expression defining the string that you want, you could define a much simpler expression for the string that you do not want:
[^A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|--
NOTE: Sanitizing your strings is not the best way to avoid SQL injection attacks; using parameterized statements is.
Upvotes: 2
Related Questions
- Regex string validation
- Validating string using RegEx
- Regular expression to validate a specific pattern
- Validate a string with a regex
- RegEx for validating specific input
- Regular expressions: need to validate specific string format
- Java Regex to validate String
- Regex for custom verification of string
- RegEx expression to validate the input string
- RegEx Validations