Well this is cute, really it is.
Kudos to all the in_array ideas and so forth
But really this is just an example.
In reality this wouldn't work how you've planned.
For example take this quite realistic possibility.
Lets assume the word "bad" is in your array of bad words
Now for realistic reasons I will tell you now that the word "bad" I am
going to use as the word we all know exists as a derogatory slang form
of human reproduction or cursing [its starts with an F in case you
haven't figured it out yet, four letters, ends in K, got it yet? ]
Now as we know this "bad" word can be written many ways, remember, I
won't use real word, just our safe-substitute:
bad, bader, bading, baden, badhead, badwit, badoff, baded,
and there maybe many more I can't think of....
Point being? unless you do something more exotic than a precise word
match then it won't get these suffixed versions, or even altered
spelling versions.
Now the next even larger problem?
This in_array thing? Its cute, but if you have more than one word in any
of your POST variables [which would be pretty safe to assume unless you
have a bad habit of sending those one word subject, one word content,
one word sender types of emails]
then it won't work either
If this is passed as say $_POST["name"]="You are a bad head!"
your little snippet here will try to match "You are a bad head" to
singular words such as ["this" "is" "a" "bad" "word"]
What you need is to break up each word in your string, then do some form
of processing ;-)
Ok ok, so you want the secrets now don't you??
Ok try signing up at these sites with names like: root, radix, admin, or
some common profanity, which is located anywhere in the username, alias,
etc:
http://www.befitcommunity.com
www.the-spectrum.org
Exactly..
Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
expressions
OH SUPRISE SUPRISE, maybe they were invented for a purpose???
Its ok, nevermind, its a personal joke of mine on this list, it seems 2%
of the PHP dev population is aware of what a regular expression is, and
only 5% of those 2% know how to write a functioning OH SO difficult
expression pattern..
Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
text books to master how to handle myself with a regular expression
parser]:
$SYSTEM["REX_FILTER"]=Array();
$SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+$/i";
$SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
//$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\-\ ]+|[a-zA-Z\_\-\
]+[0-9]+).*[0-9]*$/i";
$SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!ÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
$SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\-]+\.[A-Za-z0-9\-]{2,}/i";
$SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
$SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master|root)|root|forum|profile|preview|befit/i";
$SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wanker|dick([^ ]*(head|suck|lick)))/i";
if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
$errarr[]=$owner."user name must be between 5 and 32 characters
[inclusive]";
elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST["user_name"]))
$errarr[]=$owner."user name must start with at least 2 alphabetical
characters and must be followed by only alphanumerical characters and/or
the following characters: - (hyphen) _ (underscore) \" \" (space)";
elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_POST["user_name"]))
$errarr[]=$owner."user name contains reserved or system words";
elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_POST["user_name"]))
$errarr[]=$owner."user name contains \"inappropriate\" or \"offensive\"
words";
Ok so first that from two far and distant libraries on my site, first
part with Array definition is contained in a global core variable
definition library I have...
its basically just there to define the chosen patterns I've chosen to
use for particular different fields. Easy enough?
Then I have the second part, which uses the PCRE [perl compat reg exp]
handler functions of PHP to attempt matching my patterns to the given
inputs from user.
Easy right???
Too easy, and extremely fast and effective...
Feel free to pick me apart though, I'd love to hear all the negative
things people have to say about regular expressions.
They are like cars I find, everyone bitches about how expensive they are
to run, but wouldn't we be BADed without them!?!?!?
---oOo--- Allowing users to execute CGI scripts in any directory should
only be considered if: ... a.. You have no users, and nobody ever visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@xxxxxxxxxxxxxxxx
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx>
To: <php-db@xxxxxxxxxxxxx>
Sent: Saturday, March 11, 2006 2:53 AM
Subject: RE: Database abuse help needed
Ahhh thank you everyone,
I came up with the same solution - kind of, but I used about 5 more
lines of
code to achieve the same thing as below so I was on the same tracks
just not
quite as efficient :-)
Chris
Incorporating what Bastien said:
$badWordsArray = array("these" ,"are", "bad", "words"); foreach($_POST
as
$key => $value){
if( in_array($value, $badWordsArray) ){
//$value was found in $badWordsArray
}
}
http://us2.php.net/in_array
-----Original Message-----
From: Chris Payne [mailto:cjp@xxxxxxxxxxxxxxxxx]
Sent: Thursday, March 09, 2006 8:40 PM
To: php-db@xxxxxxxxxxxxx
Subject: RE: Database abuse help needed
Thank you for that. And excuse the inexperience, but how would I use
an
Array with the below? I mean say I had words such as
this,is,a,bad,word
(Just as examples as I can't post what I'm trying to block on here)
how
would I loop through those to check if any of them exist and if they
do THEN
execute the error script? I'm not too good with Arrays - but I'm
learning.
Thank you
Chris
If you POST from your form use $_POST, or $_GET for a form GET
foreach($_POST as $key => $value){
if( strpos($value, $findme) !== false ){
//$findme was found in $value
}
}
http://php.net/manual/en/reserved.variables.php
http://us2.php.net/manual/en/control-structures.foreach.php
http://us2.php.net/strpos Yes, that's !== or ===
-----Original Message-----
From: Chris Payne [mailto:chris@xxxxxxxxxxxx]
Sent: Thursday, March 09, 2006 5:21 PM
To: php-db@xxxxxxxxxxxxx
Subject: Database abuse help needed
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@xxxxxxx" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a
better way
to say check EVERY variable for a specific set of words rather than
doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it
when the
attacks happen, but i'd like to be able to have a string which checks
all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@xxxxxxxxxxxx " ....... I could just have a simple statement
with a
group of words, and if one of the words appears it takes an action I
specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing
the same
scripts with different variables, i'd love to just grab all the
variables
from the form and perform the action ONCE on the incoming form data
and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
--
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
3/9/2006
--
--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
3/9/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
7/03/2006
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
