filtering bad user input

Expand Post »

I am trying to set up a jsp page which takes input from any form and filters out user input which may pose a security risk. I am using the following function to try to do this:

Java Syntax (Toggle Plain Text)
 
<%!
private String checkInput(String test){
String bad_input = "";
boolean someBadInput = false;
char[] bad_characters = {'<','>','\'','\"','*','#','=','&','\\',';',':'};
int number_of_bad_characters = 11;
int i;
for(i=0; i<number_of_bad_characters; i++){
if(test.indexOf(bad_characters[i]) != -1){
if(!someBadInput){
	bad_input += bad_characters[i];
	someBadInput = true;
}else{
	if(i < (number_of_bad_characters-1)){
	 bad_input += ", "+ bad_characters[i];
	}else{
	 bad_input += ", and "+ bad_characters[i];
	}
}
}
}
if(someBadInput){
return bad_input;
}else{
return "good";
}
}
%>
 
<%!
private String checkInput(String test){
String bad_input = "";
boolean someBadInput = false;
char[] bad_characters = {'<','>','\'','\"','*','#','=','&','\\',';',':'};
int number_of_bad_characters = 11;
int i;
for(i=0; i<number_of_bad_characters; i++){
if(test.indexOf(bad_characters[i]) != -1){
if(!someBadInput){
	bad_input += bad_characters[i];
	someBadInput = true;
}else{
	if(i < (number_of_bad_characters-1)){
	 bad_input += ", "+ bad_characters[i];
	}else{
	 bad_input += ", and "+ bad_characters[i];
	}
}
}
}
if(someBadInput){
return bad_input;
}else{
return "good";
}
}
%>

I get a null pointer from the following line:

Java Syntax (Toggle Plain Text)
 if(test.indexOf(bad_characters[i]) != -1){
 if(test.indexOf(bad_characters[i]) != -1){

Been working at the computer for too long and going kinda bugeyed - so any other eyes that check this out are much appreciated!

Thanks in advance,
Dave.

Similar Threads

User Input: Strings and Numbers [C] in C
Error Checking for user input in Java
user input into a string in C++
get user input for filename to open in C++
Type Conversion of User Input: in C++

Dave G.

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Mar 2004

Permalink

Nov 2nd, 2004

Re: filtering bad user input

Wow, this is embarassing - the form I was submitting to the page had a spelling mistake inthe name of a field - so the page was trying to "request.getParameter("non_existant_parameter");" and passing a null pointer into the function. Sometimes you just need some sleep and or do something else for awhile....

Thanks to everyone who looked at the code. Sorry for the inconvienance.

Dave.

Dave G.

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Mar 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Java Forum Timeline: help? trying to compare input with symbol.

Next Thread in Java Forum Timeline: Entering through mulitple Textfields

DaniWeb Message

Cancel Changes

User Name
Password