Sanitizing user comment entries text field help

On the button Submit mouse up I have a script with this:

Comments = self.parent.parent.getChild("topspacer flex_5").getChild("TextField_0").props.text
	Comments = Comments.replace('?', ' ')
	Comments = Comments.replace('!', ' ')
	Comments = Comments.replace('#', '_')
	Comments = Comments.replace('%', ' ')
	Comments = Comments.replace('^', ' ')
	Comments = Comments.replace('*', ' ')
	Comments = Comments.replace('~', ' ')
	Comments = Comments.replace('[', ' ')
	Comments = Comments.replace(']', ' ')
	Comments = Comments.replace('{', ' ')
	Comments = Comments.replace('}', ' ')
	Comments = Comments.replace('+', ' ')
	Comments = Comments.replace('=', ' ')
	Comments = Comments.replace('`', ' ')
	Comments = Comments.replace('\\', ' ')
	Comments = Comments.replace('/', '_')
	Comments = Comments.replace('"', ' ')
	Comments = Comments.replace('\'', ' ')
	Comments = Comments.replace('$', ' ')
	Comments = Comments.replace('|', ' ')
	Comments = Comments.replace(',', '_')	

it clearly says to replace the “]” with a ’ ’

However, 40 lines of code later I call a runPrepupdate.
In the log I can see someone tried a few times to submit a comment with a “]” on the end.

Then also, I want to limit the text length in this script.

you can chain replaces

Comments = (
  Comments
  .replace('?', ' ')
  .replace('!', ' ')
  .replace('#', '_')
  .replace('%', ' ')
  )

you can limit the lenght like this Comments = Comments[:50]
(which can also be chained)

This may seem like a stupid question, but what is the goal of your script? Are you trying to sanitize user input to avoid SQL injection attacks? Because that’s what I thought the system.db.runPrepUpdate was supposed to do.

I am trying to make the runprepupdate not fault out so I can put the user comments on the reports.

thanks again Victor, I kept looking at this one set of code and was so confused, but when you wrote it, I was like oh it is slicing haha

This should not fault out tho :o How are you using it?
(at least not because of user inputing a string)

Wrap it in a try / except block. Upon exception, tell the user he screwed up.

Thanks

Is there a way to check how many varchars a column was set for in Ignition?

I might put just limit to 80 characters.

Comments come into a text field.
Submit button runs a script.
Gets the comment.
supposed to sanitize it…
then puts it into the runprepupdate

However, I was getting a ] on the end when I look at the logs for the error running the script.
So maybe too many characters were being used and the error just puts a ] there

I would use Regular Expressions for this, and condense the code significantly.

import re

Comments = self.parent.parent.getChild("topspacer flex_5").getChild("TextField_0").props.text
Comments = re.sub('[#/,]','_',re.sub('[\?!%\^\*~\[\]\{\}\+=`\\"$|]',' ',Comments))

Also, I would tend to not let them input a string longer than acceptable. As in rather than just accepting and then stripping the text, don’t allow them to enter any characters past that point.

The first leads the user to believe what they entered was successfully processed as they entered it rather than as it was actually processed.

If you can standardize on a single replace character, the regex becomes simpler.

import re

Comments = self.parent.parent.getChild("topspacer flex_5").getChild("TextField_0").props.text

pattern = re.compile('[^a-zA-Z0-9 -]')

Comments = pattern.sub('', Comments)

I'm still somewhat confused why you have to escape these characters when properly using runPrepUpdate. When supplied as parameters do these cause a fault?

Can you post the error message you get when the characters are not escaped?

how do you not let them put in text that is too long?

hand slapper on their keyboard? jk

You were asked a couple of times why you are stripping those characters from the user comments but you didn’t explain.

See comment 6 7

I have tried to answer those questions.
Probably there is a gap between my understanding and your expectation in an answer I think.
I am doing my best to read the content recommended and learn it.

Personally I think that sanitizing the user input in this fashion is counter productive.

Assuming a non-malicious actor, the user has explicitly entered a richly formatted comment, which the system then helpfully cleans up. Thus what is saved in the system is not what the user entered, and the user has no idea that the difference exists.

But because we should always assume a malicious actor, the system should be able to cope with any user entered data and not crash and burn due to a craftily formatted input. But IMHO filtering text is not the preferred way to do it. (See SQL Injection Prevention Cheat Sheet for example, where input filtering is the last of the suggested methods)

Hence, my first comment.

ah, I can check the length in the except section, got it

Thanks for the help, and sorry I didn’t see this question. The posts were rapid for me. I was also trying to researching things that were said and read recommended pages. sorry

@zacht
The error is

JythonExecException:
Traceback (most recent call last): File "", line 58, in runAction 

farther down

java.lang.Exception:
Error executing system.db.runPrepUpdate(

It spit out my insert along with the data that was getting stuffed into it

Among that data, the only thing that I saw which was suspect was this “]” on the end of the comments.

I think the question is less about the error and more about, why you need to remove all of these characters from the string.

What is the intent behind the sterilization?

to remove that “]” which is in the error

or anything like that

to get the script to not fault, or to make it work on try before except now

You are replacing 20 other characters. Why?