Yes.. elitism ;-)
That is I....
The indentation, yes, formatting of emails across different clients
will
always be an issue. Regardless though, and thankfully, my code was
only
a few one liners, whereby the indentation didn't play a huge role at
all
in representing statements and their conditional execution basis [as
there wasn't one :p ]
Next, my snippet was an example, as I'm certain I mentioned.
A slightly modified regex could be:
/(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i
that would capture many more variations of these profanities and their
common derivatives and suffixes..
[aside]
That I assume was where you were going with the "spelling" issue???
[/end of aside]
What is unpredictable by the way?
You seem as though you are targetting the regex patterns themselves.
Remember, there is no virtually no such thing as a "computer error",
only humans that don't know how to use the computers.
if a regex behaves differently that what you expected, there is beyond
a
99.9999% certainty that it is due to not having formulated the regex
correctly.
There have been many a times when even I, yes, Supreme Commander of
the
entire known and even undiscovered Universe, have forged together a
pattern, ran it, achieved desired results, then realised later down
the
track a certain word/condition it wasn't matching... Generally this
is
due to overlooking some small condition in the pattern or a particular
situation you hadn't thought of.
For example in the above regex I give I didn't rule out strings like:
"F|_|CK"
"F\_/CK"
"D|CK"
"W/\NK"
which do look like the word I want to ensure doesn't exist on the
site,
Catch is? before I run this regex I also ensure the string firstly
only
contains the following char classes: /[a-z0-9_-]/i
There we go..
Anyway, pick me more, please I love it!!!
---oOo--- Allowing users to execute CGI scripts in any directory
should
only be considered if: ... a.. You have no users, and nobody ever
visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@xxxxxxxxxxxxxxxx
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Ludvig Ericson" <ludvig.ericson@xxxxxxxxx>
To: "Julien Bonastre" <julien@xxxxxxxxxxxxxxxx>
Cc: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx>; <php-db@xxxxxxxxxxxxx>
Sent: Sunday, March 12, 2006 12:18 AM
Subject: Re: Database abuse help needed
Erm, dude, chill out with the elitism.
I think there's more then 2% knowing about regexes, and more then 5%
of those 2% that can write "oh-so-complex regular expressions"
(Either GMail mangled the indentation or you need help with that part,
by the way >_>)
Oh and you complain about it not catching spelling mistakes? Yours
doesn't either - want to know why? Because they're so unpredictable.
Cheers, toxik
On 3/11/06, Julien Bonastre <julien@xxxxxxxxxxxxxxxx> wrote:
> Well this is cute, really it is.
>
>
> Kudos to all the in_array ideas and so forth
>
>
> But really this is just an example.
>
> In reality this wouldn't work how you've planned.
>
>
> For example take this quite realistic possibility.
>
> Lets assume the word "bad" is in your array of bad words
>
>
> Now for realistic reasons I will tell you now that the word "bad" I
> am
> going to use as the word we all know exists as a derogatory slang
> form
> of human reproduction or cursing [its starts with an F in case you
> haven't figured it out yet, four letters, ends in K, got it yet? ]
>
> Now as we know this "bad" word can be written many ways, remember, I
> won't use real word, just our safe-substitute:
> bad, bader, bading, baden, badhead, badwit, badoff, baded,
>
> and there maybe many more I can't think of....
>
> Point being? unless you do something more exotic than a precise word
> match then it won't get these suffixed versions, or even altered
> spelling versions.
>
>
> Now the next even larger problem?
>
> This in_array thing? Its cute, but if you have more than one word in
> any
> of your POST variables [which would be pretty safe to assume unless
> you
> have a bad habit of sending those one word subject, one word
> content,
> one word sender types of emails]
> then it won't work either
>
>
> If this is passed as say $_POST["name"]="You are a bad head!"
>
> your little snippet here will try to match "You are a bad head" to
> singular words such as ["this" "is" "a" "bad" "word"]
>
> What you need is to break up each word in your string, then do some
> form
> of processing ;-)
>
>
>
>
>
> Ok ok, so you want the secrets now don't you??
>
> Ok try signing up at these sites with names like: root, radix,
> admin,
> or
> some common profanity, which is located anywhere in the username,
> alias,
> etc:
> http://www.befitcommunity.com
> www.the-spectrum.org
>
> Exactly..
>
> Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> expressions
>
>
> OH SUPRISE SUPRISE, maybe they were invented for a purpose???
>
>
> Its ok, nevermind, its a personal joke of mine on this list, it
> seems
> 2%
> of the PHP dev population is aware of what a regular expression is,
> and
> only 5% of those 2% know how to write a functioning OH SO difficult
> expression pattern..
>
>
>
> Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE
> 0
> text books to master how to handle myself with a regular expression
> parser]:
>
> $SYSTEM["REX_FILTER"]=Array();
> $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+$/i";
> $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
> //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\-\ ]+|[a-zA-Z\_\-\
> ]+[0-9]+).*[0-9]*$/i";
> $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!ÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\-]+\.[A-Za-z0-9\-]{2,}/i";
> $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master|root)|root|forum|profile|preview|befit/i";
> $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wanker|dick([^
> ]*(head|suck|lick)))/i";
>
> if(strlen($_POST["user_name"])<5 or
> strlen($_POST["user_name"])>32)
> $errarr[]=$owner."user name must be between 5 and 32 characters
> [inclusive]";
>
>
> elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST["user_name"]))
> $errarr[]=$owner."user name must start with at least 2 alphabetical
> characters and must be followed by only alphanumerical characters
> and/or
> the following characters: - (hyphen) _ (underscore) \" \" (space)";
>
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_POST["user_name"]))
> $errarr[]=$owner."user name contains reserved or system words";
>
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_POST["user_name"]))
> $errarr[]=$owner."user name contains \"inappropriate\" or
> \"offensive\"
> words";
>
>
>
> Ok so first that from two far and distant libraries on my site,
> first
> part with Array definition is contained in a global core variable
> definition library I have...
>
>
> its basically just there to define the chosen patterns I've chosen
> to
> use for particular different fields. Easy enough?
>
>
> Then I have the second part, which uses the PCRE [perl compat reg
> exp]
> handler functions of PHP to attempt matching my patterns to the
> given
> inputs from user.
>
>
> Easy right???
>
>
> Too easy, and extremely fast and effective...
>
>
>
> Feel free to pick me apart though, I'd love to hear all the negative
> things people have to say about regular expressions.
>
> They are like cars I find, everyone bitches about how expensive they
> are
> to run, but wouldn't we be BADed without them!?!?!?
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory
> should
> only be considered if: ... a.. You have no users, and nobody ever
> visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@xxxxxxxxxxxxxxxx
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Chris Payne" <cjp@xxxxxxxxxxxxxxxxx>
> To: <php-db@xxxxxxxxxxxxx>
> Sent: Saturday, March 11, 2006 2:53 AM
> Subject: RE: Database abuse help needed
>
>
> > Ahhh thank you everyone,
> >
> > I came up with the same solution - kind of, but I used about 5
> > more
> > lines of
> > code to achieve the same thing as below so I was on the same
> > tracks
> > just not
> > quite as efficient :-)
> >
> > Chris
> >
> > Incorporating what Bastien said:
> >
> > $badWordsArray = array("these" ,"are", "bad", "words");
> > foreach($_POST
> > as
> > $key => $value){
> > if( in_array($value, $badWordsArray) ){
> > //$value was found in $badWordsArray
> > }
> > }
> >
> > http://us2.php.net/in_array
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:cjp@xxxxxxxxxxxxxxxxx]
> > Sent: Thursday, March 09, 2006 8:40 PM
> > To: php-db@xxxxxxxxxxxxx
> > Subject: RE: Database abuse help needed
> >
> > Thank you for that. And excuse the inexperience, but how would I
> > use
> > an
> > Array with the below? I mean say I had words such as
> > this,is,a,bad,word
> > (Just as examples as I can't post what I'm trying to block on
> > here)
> > how
> > would I loop through those to check if any of them exist and if
> > they
> > do THEN
> > execute the error script? I'm not too good with Arrays - but I'm
> > learning.
> >
> > Thank you
> >
> > Chris
> >
> > If you POST from your form use $_POST, or $_GET for a form GET
> >
> > foreach($_POST as $key => $value){
> > if( strpos($value, $findme) !== false ){
> > //$findme was found in $value
> > }
> > }
> >
> > http://php.net/manual/en/reserved.variables.php
> > http://us2.php.net/manual/en/control-structures.foreach.php
> > http://us2.php.net/strpos Yes, that's !== or ===
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:chris@xxxxxxxxxxxx]
> > Sent: Thursday, March 09, 2006 5:21 PM
> > To: php-db@xxxxxxxxxxxxx
> > Subject: Database abuse help needed
> >
> > Hi there everyone,
> >
> > Is there a better way I can do this?
> >
> > if ($email == "mur@xxxxxxx" OR $subject == "Rulez666"
> >
> > Basically, if I have data coming from a form to a DB, is there a
> > better way
> > to say check EVERY variable for a specific set of words rather
> > than
> > doing
> > $name, $subject etc .... seperately?
> >
> > The reason I ask is my scripts are being exploited and I can fix
> > it
> > when the
> > attacks happen, but i'd like to be able to have a string which
> > checks
> > all
> > the form data and takes action if a word I define in a list
> > exists.
> >
> > So, instead of doing if ($name == " mememe " ...... if($email == "
> > Rulez666@xxxxxxxxxxxx " ....... I could just have a simple
> > statement
> > with a
> > group of words, and if one of the words appears it takes an action
> > I
> > specify
> > such as do not proceed to add to DB etc ....
> >
> > Any help would be greatly appreciated as I am tired of keep
> > writing
> > the same
> > scripts with different variables, i'd love to just grab all the
> > variables
> > from the form and perform the action ONCE on the incoming form
> > data
> > and then
> > all the variables are affected instead of doing each one.
> >
> > Please save me from going nuts :-)
> >
> > Chris
> >
> > --
> >
> >
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> >
> > --
> > PHP Database Mailing List (http://www.php.net/) To unsubscribe,
> > visit:
> > http://www.php.net/unsub.php
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > 7/03/2006
> >
> >
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
10/03/2006
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
10/03/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php