December 5, 2014 at 8:44 am
Hi I am designing wepage using Asp.net with Sql server as database
I have used Multiline textbox in which user has to enter their family detail.
Like number of brother and sister family status, source of Earning for family.
But User do not have to enter his/her phone/contact number.
For that I restricted the user to enter any nuberic digit through asp.net
Regex. But User is too smart now they are entering his/her contact number in words
Suppose somebody's Contact number is 533445928 as they can not enter numberic digit
because of asp.net regex which allows the user to enter only alphabets. Now they are entering their contact number in words like five three three four four nine two eight seven. I would like to restrict the user to enter contact detail in words also.
December 5, 2014 at 9:39 am
gouri92 (12/5/2014)
Hi I am designing wepage using Asp.net with Sql server as databaseI have used Multiline textbox in which user has to enter their family detail.
Like number of brother and sister family status, source of Earning for family.
But User do not have to enter his/her phone/contact number.
For that I restricted the user to enter any nuberic digit through asp.net
Regex. But User is too smart now they are entering his/her contact number in words
Suppose somebody's Contact number is 533445928 as they can not enter numberic digit
because of asp.net regex which allows the user to enter only alphabets. Now they are entering their contact number in words like five three three four four nine two eight seven. I would like to restrict the user to enter contact detail in words also.
This sounds like an ASP.NET question, not a SQL Server question. The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 5, 2014 at 11:05 am
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box? I know phone numbers have different formats in different parts of the world, but I don't know of any that require alpha characters. I'd restrict the users to only those characters that are valid in the first place. Another thing to consider is that multiline text boxes can take a lot of text, which means that you're giving the user the opportunity to place malicious code into your application.
The client-side validation should validate the text before the page is even submitted, then the code-behind should validate it according to the business rules defined for your application. By the time your application fires anything to the database, you should already know the input is valid.
December 5, 2014 at 2:12 pm
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 5, 2014 at 2:30 pm
Sounds like either users, or trolls, are trying to avoid a third party service that connects them.
You don't do this at the SQL level. The Regex is too weak in T-SQL. You need to sanitize this in ASP.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
December 5, 2014 at 2:37 pm
Jeff Moden (12/5/2014)
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
If there is a dedicated form field for phone number, but some users insist on entering crap like "too five oh sixty nine ..." into a free form comment field, then I'd say just let them. At the end of the day, it's their data. But this type of check can still be performed by the application using a more complex regular expression. It's basically checking for repeating sequences of numeric words. Still in that case, the application should simply reject the input, not attempt to parse and "correct" it.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 5, 2014 at 3:03 pm
Eric M Russell (12/5/2014)
Jeff Moden (12/5/2014)
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
If there is a dedicated form field for phone number, but some users insist on entering crap like "too five oh sixty nine ..." into a free form comment field, then I'd say just let them. At the end of the day, it's their data. But this type of check can still be performed by the application using a more complex regular expression.
One more time:
There is NO dedicated form field for phone number.
Users are NOT allowed to enter their phone number anywhere.
If by the end of the day it's my data and I can do whatever then I will post a porno-picture into this forum and everyone should be fine with it. That's what OP is trying to prevent - users breaking service agreements.
December 5, 2014 at 3:25 pm
As the DBA, if you don't trust your users or your application devleopers to do the right thing, then as last line of defense you can check the data on the database side. For example, below would be a primitive T-SQL check constraint on the comment column. However, if this is intended to scrub data entered into something like a public discussion board, then more advanced solutions are available, preferably in the middle tier.
create table #comments
( comment varchar(8000) not null constraint ck_comment_disallowed check
(
0
+ case when comment like '%zero%' then 1 else 0 end
+ case when comment like '%one%' then 1 else 0 end
+ case when comment like '%two%' then 1 else 0 end
+ case when comment like '%three%' then 1 else 0 end
+ case when comment like '%four%' then 1 else 0 end
+ case when comment like '%five%' then 1 else 0 end
+ case when comment like '%six%' then 1 else 0 end
+ case when comment like '%seven%' then 1 else 0 end
+ case when comment like '%eight%' then 1 else 0 end
+ case when comment like '%nine%' then 1 else 0 end
+ case when comment like '%ten%' then 1 else 0 end
<= 3
)
);
insert into #comments ( comment ) values ('Three four open the door.');
(1 row(s) affected)
insert into #comments ( comment ) values
('For a good time call five five five, nine six four, three two one two ...');
Msg 547, Level 16, State 0, Line 26
The INSERT statement conflicted with the CHECK constraint "ck_comment_disallowed".
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 5, 2014 at 3:53 pm
Alexander Suprun (12/5/2014)
Eric M Russell (12/5/2014)
Jeff Moden (12/5/2014)
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
If there is a dedicated form field for phone number, but some users insist on entering crap like "too five oh sixty nine ..." into a free form comment field, then I'd say just let them. At the end of the day, it's their data. But this type of check can still be performed by the application using a more complex regular expression.
One more time:
There is NO dedicated form field for phone number.
Users are NOT allowed to enter their phone number anywhere.
If by the end of the day it's my data and I can do whatever then I will post a porno-picture into this forum and everyone should be fine with it. That's what OP is trying to prevent - users breaking service agreements.
Digits and words like one two three four five etc.... are common things to enter in a free form entry field and in this case it sounds like there are perfectly legit reasons to enter those values. Especially if the only reason why it's a problem is because he doesn't want to give the end users a dedicated phone number field for some undefined reason.
The basics of web design, don't make things hard for your end users, they will find creative ways to do the things they need to do and you might very well not like those solutions.
Look at one of the things he says users are expected to enter in that field, "Like number of brother and sister" how in the name of hell do you expect them to do that if they can't use digits or type in the number in words?
December 5, 2014 at 3:59 pm
ZZartin (12/5/2014)
Alexander Suprun (12/5/2014)
Eric M Russell (12/5/2014)
Jeff Moden (12/5/2014)
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
If there is a dedicated form field for phone number, but some users insist on entering crap like "too five oh sixty nine ..." into a free form comment field, then I'd say just let them. At the end of the day, it's their data. But this type of check can still be performed by the application using a more complex regular expression.
One more time:
There is NO dedicated form field for phone number.
Users are NOT allowed to enter their phone number anywhere.
If by the end of the day it's my data and I can do whatever then I will post a porno-picture into this forum and everyone should be fine with it. That's what OP is trying to prevent - users breaking service agreements.
Digits and words like one two three four five etc.... are common things to enter in a free form entry field and in this case it sounds like there are perfectly legit reasons to enter those values. Especially if the only reason why it's a problem is because he doesn't want to give the end users a dedicated phone number field for some undefined reason.
The basics of web design, don't make things hard for your end users, they will find creative ways to do the things they need to do and you might very well not like those solutions.
Wow, this is becoming a discussion that has nothing to do with the OP's expectations or request. Ever go to Match.com or something like that? Being able to circumvent them defeats the purpose. I've actually had to do similar things to scrub data in HIPAA databases and the like. Gets really interesting when the Doctor's name is allowed, but the patient's isn't.
A lot of folks here are trying to Ivory Tower the design. I'm quite sure if they wanted phone numbers passed around, there'd be a bright neon sign (or equivalent) saying "Enter it here." Sometimes, yes, you DO want to make things hard on your users. They don't need to put a phone number in, they just want to.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
December 5, 2014 at 4:04 pm
Evil Kraig F (12/5/2014)
ZZartin (12/5/2014)
Alexander Suprun (12/5/2014)
Eric M Russell (12/5/2014)
Jeff Moden (12/5/2014)
Ed Wagner (12/5/2014)
Eric M Russell (12/5/2014)
The input should be properly parsed and formatted prior to inserting the database table. Really, allowing users to enter all contact information into a multi-line text box is a bad web form design pattern in the first place. It should be seperate text fields with input masks.
+1000. Why would something as simple as a phone number require a multiline text box?
It doesn't. The OP is trying to prevent phone numbers I the "field". He start out my not allowing digits but the users are now spelling out the digits and the OP wants to know how to prevent it.
If there is a dedicated form field for phone number, but some users insist on entering crap like "too five oh sixty nine ..." into a free form comment field, then I'd say just let them. At the end of the day, it's their data. But this type of check can still be performed by the application using a more complex regular expression.
One more time:
There is NO dedicated form field for phone number.
Users are NOT allowed to enter their phone number anywhere.
If by the end of the day it's my data and I can do whatever then I will post a porno-picture into this forum and everyone should be fine with it. That's what OP is trying to prevent - users breaking service agreements.
Digits and words like one two three four five etc.... are common things to enter in a free form entry field and in this case it sounds like there are perfectly legit reasons to enter those values. Especially if the only reason why it's a problem is because he doesn't want to give the end users a dedicated phone number field for some undefined reason.
The basics of web design, don't make things hard for your end users, they will find creative ways to do the things they need to do and you might very well not like those solutions.
Wow, this is becoming a discussion that has nothing to do with the OP's expectations or request. Ever go to Match.com or something like that? Being able to circumvent them defeats the purpose. I've actually had to do similar things to scrub data in HIPAA databases and the like. Gets really interesting when the Doctor's name is allowed, but the patient's isn't.
A lot of folks here are trying to Ivory Tower the design. I'm quite sure if they wanted phone numbers passed around, there'd be a bright neon sign (or equivalent) saying "Enter it here." Sometimes, yes, you DO want to make things hard on your users. They don't need to put a phone number in, they just want to.
Then instead of a free entry field it should be a form asking for the exact information his site needs that enforces the field by field level data he is looking for and clearly shows the end user exactly what information is required.
The way he presented that website is that users see a field that says enter anything you feel is relevant to us, and now he's getting information that isn't necessarily what he wanted. Either way it's not a database issue.
December 5, 2014 at 4:35 pm
ZZartin (12/5/2014)
The way he presented that website is that users see a field that says enter anything you feel is relevant to us, and now he's getting information that isn't necessarily what he wanted. Either way it's not a database issue.
On this point we thoroughly agree. It's a data sanitization issue. Sometimes you have to do that at the DB layer. In this case, I'd avoid it. At the least you'd need SQLCLR to get access to full regex.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
December 5, 2014 at 4:53 pm
I can think of at least phive phive phive sicks nein too won ways of defeating whatever you try and code for.
MM
select geometry::STGeomFromWKB(0x0106000000020000000103000000010000000B0000001000000000000840000000000000003DD8CCCCCCCCCC0840000000000000003DD8CCCCCCCCCC08408014AE47E17AFC3F040000000000104000CDCCCCCCCCEC3F9C999999999913408014AE47E17AFC3F9C99999999991340000000000000003D0000000000001440000000000000003D000000000000144000000000000000400400000000001040000000000000F03F100000000000084000000000000000401000000000000840000000000000003D0103000000010000000B000000000000000000143D000000000000003D009E99999999B93F000000000000003D009E99999999B93F8014AE47E17AFC3F400000000000F03F00CDCCCCCCCCEC3FA06666666666FE3F8014AE47E17AFC3FA06666666666FE3F000000000000003D1800000000000040000000000000003D18000000000000400000000000000040400000000000F03F000000000000F03F000000000000143D0000000000000040000000000000143D000000000000003D, 0);
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply