Regular expression validator validation expression

Question

1.00/5 (1 vote)

See more:

The form page for submitting questions keeps giving me my error message and I can't figure out why. The only thing I don't want are the "H1 - H4" attributes, <input, <a and . With the questions and answers need to be able to allow all other. However, by typing the following into the textbox I get my error message telling me my question is not vaild.

Question being typed in: What is the best way to stop the ringing, buzzing sound I hear

Produces the postNewQuestion.aspx RegularExpressionValidator error message.

If I remove the RegularExpressionValidator from the page and try to submit the question to the access database; I get the following error instead:

Server Error in '/' Application.

Data type mismatch in criteria expression.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.

Source Error:

Line 26: com.CommandText = "insert into QuestionList values('" + qid + "','" + TextBox1.Text + "','" + DropDownList1.SelectedValue + "','" + DateTime.Now.ToLongDateString() + "','" + Session("member") + "')"
Line 27: con.Open()
Line 28: com.ExecuteNonQuery()
Line 29: Dim pointCnt As New DataTable
Line 30: pointDs = New OleDbDataAdapter("select [points] from Points where Member='" + Session("member") + "'", con)

Source File: E:\hosting\blueeyeweb\postNewQuestion.aspx.vb Line: 28

Stack Trace:

[OleDbException (0x80040e07): Data type mismatch in criteria expression.]
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) +1007584
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) +255
System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) +188
System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) +58
System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) +161
System.Data.OleDb.OleDbCommand.ExecuteNonQuery() +113
postNewQuestion.Button1_Click(Object sender, EventArgs e) in E:\hosting\blueeyeweb\postNewQuestion.aspx.vb:28
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +111
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +110
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

<b>What I have tried:</b>

postNewQuestion.aspx

<pre>
<asp:TextBox ID="TextBox1" runat="server" style="text-align: left" TextMode="MultiLine" Width="313px" Height="140px" CssClass="polbx"></asp:TextBox><br />

<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="*" ValidationExpression="[^\<\>\'\@]" ControlToValidate="TextBox1"></asp:RegularExpressionValidator>

<center><asp:Button ID="Button1" runat="server" Text="Ask Question" /></center>

<asp:Label ID="errMessage" runat="server" Font-Bold="True" Font-Size="Larger" ForeColor="#FF3300" Width="100%"></asp:Label>
</pre>

postNewQuestion.aspx.vb
<pre>
Dim dap, pointDs As OleDbDataAdapter
Dim con As OleDbConnection
Dim com As New OleDbCommand
Dim invalid() As String = {"<h1>", "<script>", "<h2>", "<input", "<h3>", "<a", "<h4>"}

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
If Button1.Text = "Ask Question" Then
If TextBox1.Text <> "" Then
For Each s As String In invalid
If TextBox1.Text.ToLower.Contains(s) = True Then
errMessage.Text = Server.HtmlEncode("Cannot Contain <h1>,<Script>,<input>,<a> etc tags")
Exit Sub
End If
Next
con = New OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0 ;data source=" & Server.MapPath("app_data/SimpleQSet.mdb") & ";")

com.Connection = con
Session("member") = "Charles Smith"
Dim ran As New Random
Dim qid As String = ran.Next(0, TextBox1.Text.Length)
com.CommandText = "insert into QuestionList values('" + qid + "','" + TextBox1.Text + "','" + DropDownList1.SelectedValue + "','" + DateTime.Now.ToLongDateString() + "','" + Session("member") + "')"
con.Open()
com.ExecuteNonQuery()
Dim pointCnt As New DataTable
pointDs = New OleDbDataAdapter("select [points] from Points where Member='" + Session("member") + "'", con)
pointDs.Fill(pointCnt)
Dim pnt As Integer = pointCnt.Rows(0)(0) + 1
com.CommandText = "update points set [points]='" & pnt & "' where member='" & Session("member") & "'"
com.ExecuteNonQuery()
con.Close()
Else
errMessage.Text = "Question Cannot Be Blank"
End If
Else
Response.Redirect("~/postNewQuestion-Confirmed.aspx")
End If

con.Close()

End Sub
</pre>

postNewQuestion.aspx.vb - <b>Full Code</b>

<pre>Imports System.Data.OleDb
Imports System.Data

Partial Class postNewQuestion
Inherits System.Web.UI.Page

Dim dap, pointDs As OleDbDataAdapter
Dim con As OleDbConnection
Dim com As New OleDbCommand
Dim invalid() As String = {"<h1>", "<script>", "<h2>", "<input", "<h3>", "<a", "<h4>"}
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
If Button1.Text = "Ask Question" Then
If TextBox1.Text <> "" Then
For Each s As String In invalid
If TextBox1.Text.ToLower.Contains(s) = True Then
errMessage.Text = Server.HtmlEncode("Cannot Contain <h1>,<Script>,<input>,<a> etc tags")
Exit Sub
End If
Next
con = New OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0 ;data source=" & Server.MapPath("app_data/SimpleQSet.mdb") & ";")

com.Connection = con
Session("member") = "Charles Smith"
Dim ran As New Random
Dim qid As String = ran.Next(0, TextBox1.Text.Length)
com.CommandText = "insert into QuestionList values('" + qid + "','" + TextBox1.Text + "','" + DropDownList1.SelectedValue + "','" + DateTime.Now.ToLongDateString() + "','" + Session("member") + "')"
con.Open()
com.ExecuteNonQuery()
Dim pointCnt As New DataTable
pointDs = New OleDbDataAdapter("select [points] from Points where Member='" + Session("member") + "'", con)
pointDs.Fill(pointCnt)
Dim pnt As Integer = pointCnt.Rows(0)(0) + 1
com.CommandText = "update points set [points]='" & pnt & "' where member='" & Session("member") & "'"
com.ExecuteNonQuery()
con.Close()
Else
errMessage.Text = "Question Cannot Be Blank"
End If
Else
Response.Redirect("~/postNewQuestion-Confirmed.aspx")
End If

con.Close()

End Sub

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Session("member") = Nothing Then
Button1.Text = "Sign In To Post a Question"
End If
End Sub

Protected Sub Page_int(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Session("member") = Nothing Then

Response.Redirect("error42059loginrequired.aspx")

End If
End Sub
End Class
</pre>

Posted 21-Sep-17 19:54pm

Edward Mergel

Updated 21-Sep-17 20:19pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-09-21T20:19:00

Stop doing it like that!
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

And ... when you fix that, a lot of your problems will disappear ...