Erm, dude, chill out with the elitism. I think there's more then 2% knowing about regexes, and more then 5% of those 2% that can write "oh-so-complex regular expressions" (Either GMail mangled the indentation or you need help with that part, by the way >_>) Oh and you complain about it not catching spelling mistakes? Yours doesn't either - want to know why? Because they're so unpredictable. Cheers, toxik On 3/11/06, Julien Bonastre <julien@xxxxxxxxxxxxxxxx> wrote: > Well this is cute, really it is. > > > Kudos to all the in_array ideas and so forth > > > But really this is just an example. > > In reality this wouldn't work how you've planned. > > > For example take this quite realistic possibility. > > Lets assume the word "bad" is in your array of bad words > > > Now for realistic reasons I will tell you now that the word "bad" I am > going to use as the word we all know exists as a derogatory slang form > of human reproduction or cursing [its starts with an F in case you > haven't figured it out yet, four letters, ends in K, got it yet? ] > > Now as we know this "bad" word can be written many ways, remember, I > won't use real word, just our safe-substitute: > bad, bader, bading, baden, badhead, badwit, badoff, baded, > > and there maybe many more I can't think of.... > > Point being? unless you do something more exotic than a precise word > match then it won't get these suffixed versions, or even altered > spelling versions. > > > Now the next even larger problem? > > This in_array thing? Its cute, but if you have more than one word in any > of your POST variables [which would be pretty safe to assume unless you > have a bad habit of sending those one word subject, one word content, > one word sender types of emails] > then it won't work either > > > If this is passed as say $_POST["name"]="You are a bad head!" > > your little snippet here will try to match "You are a bad head" to > singular words such as ["this" "is" "a" "bad" "word"] > > What you need is to break up each word in your string, then do some form > of processing ;-) > > > > > > Ok ok, so you want the secrets now don't you?? > > Ok try signing up at these sites with names like: root, radix, admin, or > some common profanity, which is located anywhere in the username, alias, > etc: > http://www.befitcommunity.com > www.the-spectrum.org > > Exactly.. > > Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular > expressions > > > OH SUPRISE SUPRISE, maybe they were invented for a purpose??? > > > Its ok, nevermind, its a personal joke of mine on this list, it seems 2% > of the PHP dev population is aware of what a regular expression is, and > only 5% of those 2% know how to write a functioning OH SO difficult > expression pattern.. > > > > Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0 > text books to master how to handle myself with a regular expression > parser]: > > $SYSTEM["REX_FILTER"]=Array(); > $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+$/i"; > $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i"; > //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\-\ ]+|[a-zA-Z\_\-\ > ]+[0-9]+).*[0-9]*$/i"; > $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!ÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i"; > $SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\-]+\.[A-Za-z0-9\-]{2,}/i"; > $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i"; > $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master|root)|root|forum|profile|preview|befit/i"; > $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wanker|dick([^ ]*(head|suck|lick)))/i"; > > if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32) > $errarr[]=$owner."user name must be between 5 and 32 characters > [inclusive]"; > > elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST["user_name"])) > $errarr[]=$owner."user name must start with at least 2 alphabetical > characters and must be followed by only alphanumerical characters and/or > the following characters: - (hyphen) _ (underscore) \" \" (space)"; > > elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_POST["user_name"])) > $errarr[]=$owner."user name contains reserved or system words"; > > elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_POST["user_name"])) > $errarr[]=$owner."user name contains \"inappropriate\" or \"offensive\" > words"; > > > > Ok so first that from two far and distant libraries on my site, first > part with Array definition is contained in a global core variable > definition library I have... > > > its basically just there to define the chosen patterns I've chosen to > use for particular different fields. Easy enough? > > > Then I have the second part, which uses the PCRE [perl compat reg exp] > handler functions of PHP to attempt matching my patterns to the given > inputs from user. > > > Easy right??? > > > Too easy, and extremely fast and effective... > > > > Feel free to pick me apart though, I'd love to hear all the negative > things people have to say about regular expressions. > > They are like cars I find, everyone bitches about how expensive they are > to run, but wouldn't we be BADed without them!?!?!? > > > ---oOo--- Allowing users to execute CGI scripts in any directory should > only be considered if: ... a.. You have no users, and nobody ever visits > your server. ... Extracted Quote: Security Tips - Apache HTTP > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494 > julien@xxxxxxxxxxxxxxxx > www.the-spectrum.org ------oOo---------------oOo------ > ----- Original Message ----- > From: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx> > To: <php-db@xxxxxxxxxxxxx> > Sent: Saturday, March 11, 2006 2:53 AM > Subject: RE: Database abuse help needed > > > > Ahhh thank you everyone, > > > > I came up with the same solution - kind of, but I used about 5 more > > lines of > > code to achieve the same thing as below so I was on the same tracks > > just not > > quite as efficient :-) > > > > Chris > > > > Incorporating what Bastien said: > > > > $badWordsArray = array("these" ,"are", "bad", "words"); foreach($_POST > > as > > $key => $value){ > > if( in_array($value, $badWordsArray) ){ > > //$value was found in $badWordsArray > > } > > } > > > > http://us2.php.net/in_array > > > > -----Original Message----- > > From: Chris Payne [mailto:cjp@xxxxxxxxxxxxxxxxx] > > Sent: Thursday, March 09, 2006 8:40 PM > > To: php-db@xxxxxxxxxxxxx > > Subject: RE: Database abuse help needed > > > > Thank you for that. And excuse the inexperience, but how would I use > > an > > Array with the below? I mean say I had words such as > > this,is,a,bad,word > > (Just as examples as I can't post what I'm trying to block on here) > > how > > would I loop through those to check if any of them exist and if they > > do THEN > > execute the error script? I'm not too good with Arrays - but I'm > > learning. > > > > Thank you > > > > Chris > > > > If you POST from your form use $_POST, or $_GET for a form GET > > > > foreach($_POST as $key => $value){ > > if( strpos($value, $findme) !== false ){ > > //$findme was found in $value > > } > > } > > > > http://php.net/manual/en/reserved.variables.php > > http://us2.php.net/manual/en/control-structures.foreach.php > > http://us2.php.net/strpos Yes, that's !== or === > > > > -----Original Message----- > > From: Chris Payne [mailto:chris@xxxxxxxxxxxx] > > Sent: Thursday, March 09, 2006 5:21 PM > > To: php-db@xxxxxxxxxxxxx > > Subject: Database abuse help needed > > > > Hi there everyone, > > > > Is there a better way I can do this? > > > > if ($email == "mur@xxxxxxx" OR $subject == "Rulez666" > > > > Basically, if I have data coming from a form to a DB, is there a > > better way > > to say check EVERY variable for a specific set of words rather than > > doing > > $name, $subject etc .... seperately? > > > > The reason I ask is my scripts are being exploited and I can fix it > > when the > > attacks happen, but i'd like to be able to have a string which checks > > all > > the form data and takes action if a word I define in a list exists. > > > > So, instead of doing if ($name == " mememe " ...... if($email == " > > Rulez666@xxxxxxxxxxxx " ....... I could just have a simple statement > > with a > > group of words, and if one of the words appears it takes an action I > > specify > > such as do not proceed to add to DB etc .... > > > > Any help would be greatly appreciated as I am tired of keep writing > > the same > > scripts with different variables, i'd love to just grab all the > > variables > > from the form and perform the action ONCE on the incoming form data > > and then > > all the variables are affected instead of doing each one. > > > > Please save me from going nuts :-) > > > > Chris > > > > -- > > > > > > -- > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: > > 3/9/2006 > > > > -- > > > > -- > > PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > > -- > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: > > 3/9/2006 > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > > No virus found in this incoming message. > > Checked by AVG Anti-Virus. > > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date: > > 7/03/2006 > > > > > > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006 > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
