By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,278 Members | 1,342 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,278 IT Pros & Developers. It's quick & easy.

How to detect and delete a string like this

P: n/a
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?

Feb 17 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
alanbe schreef:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?
Why loop through the db ? Get ahead of this and check your post
variables :-)

foreach ($_POST as $strToCheck)
{
if stristr('file=',$strToCheck)
{
echo 'bad words';exit;
}
}

--
Arjen
http://www.hondenpage.com
Feb 17 '07 #2

P: n/a
alanbe wrote:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.

How do I detect and rid this kind of posting?
If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_escape_string() could be a real friend.

Sh.

Feb 17 '07 #3

P: n/a
On Feb 17, 1:38 pm, Schraalhans Keukenmeester <bitbuc...@invalid.spam>
wrote:
alanbe wrote:
Someone filled out a comment form to me with the following string
within the message:
#file=E:\\util\\xr32\\Projects\\www42t35Href.txt
The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:
#file=E:\util\xr32\\Projects\www42t35Href.txt
If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"
or if i try
DELETE FROM database where lower(`comments`) like "%\%"
it fails to detect the string.
How do I detect and rid this kind of posting?

If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_escape_string() could be a real friend.

Sh.
Advice taken.

I reviewed a few pages on how to use mysql_real_escape_string() and
I implemented it. Also did a little more pre-post security checking.

Thanks
Feb 17 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.