Well, no matter how long you spend on coding a regex - no sane one would capture all misspellings possible. It's impossible. Think of these: fukc, fucck, f uck, fu ck, fuc k, f ukc, fu kc, fuk c, fu kk, fawk, faak, fak, etc. There are quite a lot A not too sober Ludvig. On 3/12/06, Julien Bonastre <julien@xxxxxxxxxxxxxxxx> wrote: > Yes.. elitism ;-) > > That is I.... > > The indentation, yes, formatting of emails across different clients will > always be an issue. Regardless though, and thankfully, my code was only > a few one liners, whereby the indentation didn't play a huge role at all > in representing statements and their conditional execution basis [as > there wasn't one :p ] > > Next, my snippet was an example, as I'm certain I mentioned. > > A slightly modified regex could be: > > /(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i > > > that would capture many more variations of these profanities and their > common derivatives and suffixes.. > > > > [aside] > That I assume was where you were going with the "spelling" issue??? > [/end of aside] > > > What is unpredictable by the way? > > > You seem as though you are targetting the regex patterns themselves. > > > Remember, there is no virtually no such thing as a "computer error", > only humans that don't know how to use the computers. > > > if a regex behaves differently that what you expected, there is beyond a > 99.9999% certainty that it is due to not having formulated the regex > correctly. > > > There have been many a times when even I, yes, Supreme Commander of the > entire known and even undiscovered Universe, have forged together a > pattern, ran it, achieved desired results, then realised later down the > track a certain word/condition it wasn't matching... Generally this is > due to overlooking some small condition in the pattern or a particular > situation you hadn't thought of. > > > For example in the above regex I give I didn't rule out strings like: > "F|_|CK" > "F\_/CK" > "D|CK" > "W/\NK" > > which do look like the word I want to ensure doesn't exist on the site, > > Catch is? before I run this regex I also ensure the string firstly only > contains the following char classes: /[a-z0-9_-]/i > > There we go.. > > > > Anyway, pick me more, please I love it!!! > > > > ---oOo--- Allowing users to execute CGI scripts in any directory should > only be considered if: ... a.. You have no users, and nobody ever visits > your server. ... Extracted Quote: Security Tips - Apache HTTP > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494 > julien@xxxxxxxxxxxxxxxx > www.the-spectrum.org ------oOo---------------oOo------ > ----- Original Message ----- > From: "Ludvig Ericson" <ludvig.ericson@xxxxxxxxx> > To: "Julien Bonastre" <julien@xxxxxxxxxxxxxxxx> > Cc: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx>; <php-db@xxxxxxxxxxxxx> > Sent: Sunday, March 12, 2006 12:18 AM > Subject: Re: Database abuse help needed > > > Erm, dude, chill out with the elitism. > I think there's more then 2% knowing about regexes, and more then 5% > of those 2% that can write "oh-so-complex regular expressions" > > (Either GMail mangled the indentation or you need help with that part, > by the way >_>) > > Oh and you complain about it not catching spelling mistakes? Yours > doesn't either - want to know why? Because they're so unpredictable. > > Cheers, toxik > > On 3/11/06, Julien Bonastre <julien@xxxxxxxxxxxxxxxx> wrote: > > Well this is cute, really it is. > > > > > > Kudos to all the in_array ideas and so forth > > > > > > But really this is just an example. > > > > In reality this wouldn't work how you've planned. > > > > > > For example take this quite realistic possibility. > > > > Lets assume the word "bad" is in your array of bad words > > > > > > Now for realistic reasons I will tell you now that the word "bad" I am > > going to use as the word we all know exists as a derogatory slang form > > of human reproduction or cursing [its starts with an F in case you > > haven't figured it out yet, four letters, ends in K, got it yet? ] > > > > Now as we know this "bad" word can be written many ways, remember, I > > won't use real word, just our safe-substitute: > > bad, bader, bading, baden, badhead, badwit, badoff, baded, > > > > and there maybe many more I can't think of.... > > > > Point being? unless you do something more exotic than a precise word > > match then it won't get these suffixed versions, or even altered > > spelling versions. > > > > > > Now the next even larger problem? > > > > This in_array thing? Its cute, but if you have more than one word in > > any > > of your POST variables [which would be pretty safe to assume unless > > you > > have a bad habit of sending those one word subject, one word content, > > one word sender types of emails] > > then it won't work either > > > > > > If this is passed as say $_POST["name"]="You are a bad head!" > > > > your little snippet here will try to match "You are a bad head" to > > singular words such as ["this" "is" "a" "bad" "word"] > > > > What you need is to break up each word in your string, then do some > > form > > of processing ;-) > > > > > > > > > > > > Ok ok, so you want the secrets now don't you?? > > > > Ok try signing up at these sites with names like: root, radix, admin, > > or > > some common profanity, which is located anywhere in the username, > > alias, > > etc: > > http://www.befitcommunity.com > > www.the-spectrum.org > > > > Exactly.. > > > > Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular > > expressions > > > > > > OH SUPRISE SUPRISE, maybe they were invented for a purpose??? > > > > > > Its ok, nevermind, its a personal joke of mine on this list, it seems > > 2% > > of the PHP dev population is aware of what a regular expression is, > > and > > only 5% of those 2% know how to write a functioning OH SO difficult > > expression pattern.. > > > > > > > > Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0 > > text books to master how to handle myself with a regular expression > > parser]: > > > > $SYSTEM["REX_FILTER"]=Array(); > > $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+$/i"; > > $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i"; > > //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\-\ ]+|[a-zA-Z\_\-\ > > ]+[0-9]+).*[0-9]*$/i"; > > $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!ÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i"; > > $SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\-]+\.[A-Za-z0-9\-]{2,}/i"; > > $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i"; > > $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master|root)|root|forum|profile|preview|befit/i"; > > $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wanker|dick([^ > > ]*(head|suck|lick)))/i"; > > > > if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32) > > $errarr[]=$owner."user name must be between 5 and 32 characters > > [inclusive]"; > > > > > > elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST["user_name"])) > > $errarr[]=$owner."user name must start with at least 2 alphabetical > > characters and must be followed by only alphanumerical characters > > and/or > > the following characters: - (hyphen) _ (underscore) \" \" (space)"; > > > > > > elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_POST["user_name"])) > > $errarr[]=$owner."user name contains reserved or system words"; > > > > > > elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_POST["user_name"])) > > $errarr[]=$owner."user name contains \"inappropriate\" or > > \"offensive\" > > words"; > > > > > > > > Ok so first that from two far and distant libraries on my site, first > > part with Array definition is contained in a global core variable > > definition library I have... > > > > > > its basically just there to define the chosen patterns I've chosen to > > use for particular different fields. Easy enough? > > > > > > Then I have the second part, which uses the PCRE [perl compat reg exp] > > handler functions of PHP to attempt matching my patterns to the given > > inputs from user. > > > > > > Easy right??? > > > > > > Too easy, and extremely fast and effective... > > > > > > > > Feel free to pick me apart though, I'd love to hear all the negative > > things people have to say about regular expressions. > > > > They are like cars I find, everyone bitches about how expensive they > > are > > to run, but wouldn't we be BADed without them!?!?!? > > > > > > ---oOo--- Allowing users to execute CGI scripts in any directory > > should > > only be considered if: ... a.. You have no users, and nobody ever > > visits > > your server. ... Extracted Quote: Security Tips - Apache HTTP > > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre > > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494 > > julien@xxxxxxxxxxxxxxxx > > www.the-spectrum.org ------oOo---------------oOo------ > > ----- Original Message ----- > > From: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx> > > To: <php-db@xxxxxxxxxxxxx> > > Sent: Saturday, March 11, 2006 2:53 AM > > Subject: RE: Database abuse help needed > > > > > > > Ahhh thank you everyone, > > > > > > I came up with the same solution - kind of, but I used about 5 more > > > lines of > > > code to achieve the same thing as below so I was on the same tracks > > > just not > > > quite as efficient :-) > > > > > > Chris > > > > > > Incorporating what Bastien said: > > > > > > $badWordsArray = array("these" ,"are", "bad", "words"); > > > foreach($_POST > > > as > > > $key => $value){ > > > if( in_array($value, $badWordsArray) ){ > > > //$value was found in $badWordsArray > > > } > > > } > > > > > > http://us2.php.net/in_array > > > > > > -----Original Message----- > > > From: Chris Payne [mailto:cjp@xxxxxxxxxxxxxxxxx] > > > Sent: Thursday, March 09, 2006 8:40 PM > > > To: php-db@xxxxxxxxxxxxx > > > Subject: RE: Database abuse help needed > > > > > > Thank you for that. And excuse the inexperience, but how would I > > > use > > > an > > > Array with the below? I mean say I had words such as > > > this,is,a,bad,word > > > (Just as examples as I can't post what I'm trying to block on here) > > > how > > > would I loop through those to check if any of them exist and if they > > > do THEN > > > execute the error script? I'm not too good with Arrays - but I'm > > > learning. > > > > > > Thank you > > > > > > Chris > > > > > > If you POST from your form use $_POST, or $_GET for a form GET > > > > > > foreach($_POST as $key => $value){ > > > if( strpos($value, $findme) !== false ){ > > > //$findme was found in $value > > > } > > > } > > > > > > http://php.net/manual/en/reserved.variables.php > > > http://us2.php.net/manual/en/control-structures.foreach.php > > > http://us2.php.net/strpos Yes, that's !== or === > > > > > > -----Original Message----- > > > From: Chris Payne [mailto:chris@xxxxxxxxxxxx] > > > Sent: Thursday, March 09, 2006 5:21 PM > > > To: php-db@xxxxxxxxxxxxx > > > Subject: Database abuse help needed > > > > > > Hi there everyone, > > > > > > Is there a better way I can do this? > > > > > > if ($email == "mur@xxxxxxx" OR $subject == "Rulez666" > > > > > > Basically, if I have data coming from a form to a DB, is there a > > > better way > > > to say check EVERY variable for a specific set of words rather than > > > doing > > > $name, $subject etc .... seperately? > > > > > > The reason I ask is my scripts are being exploited and I can fix it > > > when the > > > attacks happen, but i'd like to be able to have a string which > > > checks > > > all > > > the form data and takes action if a word I define in a list exists. > > > > > > So, instead of doing if ($name == " mememe " ...... if($email == " > > > Rulez666@xxxxxxxxxxxx " ....... I could just have a simple statement > > > with a > > > group of words, and if one of the words appears it takes an action I > > > specify > > > such as do not proceed to add to DB etc .... > > > > > > Any help would be greatly appreciated as I am tired of keep writing > > > the same > > > scripts with different variables, i'd love to just grab all the > > > variables > > > from the form and perform the action ONCE on the incoming form data > > > and then > > > all the variables are affected instead of doing each one. > > > > > > Please save me from going nuts :-) > > > > > > Chris > > > > > > -- > > > > > > > > > -- > > > > > > No virus found in this incoming message. > > > Checked by AVG Free Edition. > > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: > > > 3/9/2006 > > > > > > -- > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) To unsubscribe, > > > visit: > > > http://www.php.net/unsub.php > > > > > > > > > -- > > > No virus found in this incoming message. > > > Checked by AVG Free Edition. > > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: > > > 3/9/2006 > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > -- > > > No virus found in this incoming message. > > > Checked by AVG Anti-Virus. > > > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date: > > > 7/03/2006 > > > > > > > > > > > > > > -- > > No virus found in this outgoing message. > > Checked by AVG Anti-Virus. > > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: > > 10/03/2006 > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: > 10/03/2006 > > > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006 > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
