473,383 Members | 1,877 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > how to detect and delete a string like this

Join Bytes to post your question to a community of 473,383 software developers and data experts.

How to detect and delete a string like this

Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?

Feb 17 '07 #1
3 1558
alanbe schreef:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?
Why loop through the db ? Get ahead of this and check your post
variables :-)

foreach ($_POST as $strToCheck)
{
if stristr('file=',$strToCheck)
{
echo 'bad words';exit;
}
}

--
Arjen
http://www.hondenpage.com
Feb 17 '07 #2
alanbe wrote:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?
If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_escape_string() could be a real friend.

Sh.

Feb 17 '07 #3
On Feb 17, 1:38 pm, Schraalhans Keukenmeester <bitbuc...@invalid.spam>
wrote:
alanbe wrote:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:
#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"
or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.
How do I detect and rid this kind of posting?

If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_escape_string() could be a real friend.

Sh.
Advice taken.

I reviewed a few pages on how to use mysql_real_escape_string() and
I implemented it. Also did a little more pre-post security checking.

Thanks
Feb 17 '07 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
Looking for a good way to detect server platform
by: Colin McKinnon | last post by:
Hi, I'm currently writing a wee library tool in PHP. It generates a few (actually a lot) of temporary files and directories, so I need to setup some garbage collection. I can do this a lot more...
PHP
2
how to detect parameter values passed to method
by: Marcin | last post by:
Hello! Is there any method to detect parameters values passed to called method? For example: public Guid ApplicationLogin(string userName, string password, int dbId)
.NET Framework
5
How to detect result of FileSystemObject delete method
by: Brad Wood | last post by:
The delete method of the FileSystemObject.FileObject does not return a result. If permissions disallow deletion, it will not raise an error. Conversely, if the delete method does succeed, a call...
ASP / Active Server Pages
23
Detect Function or Pop-Up Blocking
by: David McCulloch | last post by:
QUESTION-1: How can I detect if Norton Internet Security is blocking pop-ups? QUESTION-2a: How could I know if a particular JavaScript function has been declared? QUESTION-2b: How could I...
Javascript
6
How to detect if file is deleted
by: Kiran | last post by:
Hi, I have program, which opens file at the startup and logs error messages to the file, file handle is closed at the end of the program. However if file is deleted in-between, program do not...
C / C++
3
Detect when the session is going to time out and display some kind of message.
by: UJ | last post by:
How do you detect when your session is going to timeout and display a message saying 'unless you do something you will be logged out' much the way bank web pages do? Can you do it for the site...
ASP.NET
3
Heap Manager and new/delete overloading
by: silver360 | last post by:
Hello, I'm trying to create a basic Heap manager and i have some question about new/delete overloading. The following code give me this output : >> $./heap >> registered : 0x804d098 >>...
C / C++
7
Detect if memory is "deletable"
by: maruthir123 | last post by:
Hi, I have a wchar_t pointer. Based on some conditions I assign string literals to it and on some other conditions, I allocate memory and assign it to this. Is there a way to find out while...
.NET Framework
5
How to detect the deleting permission for Registry key?
by: YXQ | last post by:
How to detect programmatically if current user has the deleting permission to delete a Registry key in VS 2005? thank you very much!
Visual Basic .NET
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!