How to detect and delete a string like this

**Arjen** · Feb 17 '07, 06:35 PM

Re: How to detect and delete a string like this

alanbe schreef:

Someone filled out a comment form to me with the following string
within the message:
>
>
#file=E:\\util\ \xr32\\Projects \\www42t35Href. txt
>
>
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:
>
#file=E:\util\x r32\\Projects\w ww42t35Href.txt
>
>
If I use something like
DELETE FROM database where lower(`comments `) like "%file=
%"
>
or if i try
DELETE FROM database where lower(`comments `) like "%\%"
>
>
it fails to detect the string.
>
How do I detect and rid this kind of posting?

Why loop through the db ? Get ahead of this and check your post
variables :-)

foreach ($_POST as $strToCheck)
{
if stristr('file=' ,$strToCheck)
{
echo 'bad words';exit;
}
}

--
Arjen

Honden Page: uw hond en honden.

http://www.hondenpage.com

HondenPage: alles over uw hond of honden,fokkers en puppy's. Je vindt hier het hondenforum, honden foto's, fokkers, puppy's, de honden encyclopedie en nog veel meer !

**Schraalhans Keukenmeester** · Feb 17 '07, 06:45 PM

Re: How to detect and delete a string like this

alanbe wrote:

Someone filled out a comment form to me with the following string
within the message:
>
>
#file=E:\\util\ \xr32\\Projects \\www42t35Href. txt
>
>
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:
>
#file=E:\util\x r32\\Projects\w ww42t35Href.txt
>
>
If I use something like
DELETE FROM database where lower(`comments `) like "%file=
%"
>
or if i try
DELETE FROM database where lower(`comments `) like "%\%"
>
>
it fails to detect the string.
>
How do I detect and rid this kind of posting?
>

If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_esca pe_string() could be a real friend.

Sh.

**alanbe** · Feb 17 '07, 10:55 PM

Re: How to detect and delete a string like this

On Feb 17, 1:38 pm, Schraalhans Keukenmeester <bitbuc...@inva lid.spam>
wrote:

alanbe wrote:

Someone filled out a comment form to me with the following string
within the message:

>

#file=E:\\util\ \xr32\\Projects \\www42t35Href. txt

>

The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

>

#file=E:\util\x r32\\Projects\w ww42t35Href.txt

>

If I use something like
DELETE FROM database where lower(`comments `) like "%file=
%"

>

or if i try
DELETE FROM database where lower(`comments `) like "%\%"

>

it fails to detect the string.

>

How do I detect and rid this kind of posting?

>
If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.
>
Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_esca pe_string() could be a real friend.
>
Sh.

Advice taken.

I reviewed a few pages on how to use mysql_real_esca pe_string() and
I implemented it. Also did a little more pre-post security checking.

Thanks

How to detect and delete a string like this

How to detect and delete a string like this

Comment

Comment

Comment