RE: Passing +, =, - at post and get

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In your second if you do a count on the occurence of a character,
but don't use the result, why not use strpos() directly? 

Also if you just want to replace a single char with another
single char, then you might like to do like this:

  $String = implode(explode($String, $OldChar), $NewChar);



-----Original Message-----
From: George Pitcher
To: php-windows@xxxxxxxxxxxxx
Sent: 20-5-2004 15:43
Subject: RE:  Passing +, =, - at post and get

And doing a bit more, I find that '=' and '-' are passing through OK so
I'll
need to train my users to use an alternative to '+'.

The choking seems to be with my parsing function, which I have pasted in
below:
=================================================
function sql_fltr($sql,$field,$input){
	if(strlen($input)>0){
		if( substr_count($input,"=")>0 | substr_count($input,"
-")>0 |
substr_count($input," +")>0 ){
			$output = "";
			$temp = str_replace(" -","|-",(str_replace("
-","|-",($input))));
			$temp = explode("|",$temp);
			for ($i = 0; $i <= sizeof($temp); $i++){
				if (substr($temp[$i],0,1)=="*"){
					$temp[$i] = $field." like
'".rtrim(str_replace("*","%",$temp[$i]))."%'";
					$output.= $temp[$i]."|";
				} elseif (substr($temp[$i],0,1)=="-"){
					$temp[$i] = " and ".$field." not
like
'".rtrim(str_replace("*","%",$temp[$i]))."'";
					$output.= $temp[$i]."|";
				} elseif (substr($temp[$i],0,1)=="="){
					$temp[$i] = " and
".$field."='".rtrim(str_replace("=","",$temp[$i]))."'";
					$output.= $temp[$i]."|";
				} elseif (substr($temp[$i],0,1)!="+" &&
substr($temp[$i],0,1)!="-"&&substr($temp[$i],0,1)!="*" &&
substr($temp[$i],0,1)!="="){
					$temp[$i] = "and ".$field." like
'%".rtrim(str_replace("=","",$temp[$i]))."'";
					$output.= $temp[$i]."|";
				} else {
					$temp[$i] = "
".$field."='".rtrim($temp[$i])."'";
					$output.= $temp[$i]."|";
				}
			}
			$output = " AND
".substr($output,0,strlen($output)-1);
		} else {
			$temp = $input;
			if (substr($temp,0,1)=="*"){
				$temp = $field." like
'".rtrim(str_replace("*","%",$temp))."'";
			} elseif (substr($temp,0,1)=="-"){
				$temp = $field." not like
'".rtrim(str_replace("*","%",$temp))."'";
			} elseif (substr($temp,0,1)=="="){
				$temp =
$field."='".rtrim(str_replace("=","",$temp))."'";
			} elseif (substr($temp,0,1)!="+" &&
substr($temp,0,1)!="-"&&substr($temp,0,1)!="*" &&
substr($temp,0,1)!="="){
				$temp = $field." like
'%".rtrim(str_replace("=","",$temp))."'";
			} else {
				$temp = $field."='".rtrim($temp)."'";
			}
			$output = " AND ".$temp;
		}
	} else {
		$output = "";
	}
	return $output;
}
=================================================
This works fine if the user has eneterd either no control or the *
wildcared
with the criteria.

Any suggestions?

Cheers

George


> -----Original Message-----
> From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx]
> Sent: 20 May 2004 2:33 pm
> To: php-windows@xxxxxxxxxxxxx
> Subject: RE:  Passing +, =, - at post and get
>
>
> Charles,
>
> No way! This site will only have about 3-4 users as its an
> intranet and I'll
> be parsing everything at the server end.
>
> George
>
>
> > -----Original Message-----
> > From: Charles P. Killmer [mailto:charlesk@xxxxxxxxxxxxxxxxxxxxx]
> > Sent: 20 May 2004 2:31 pm
> > To: php-windows@xxxxxxxxxxxxx
> > Subject: RE:  Passing +, =, - at post and get
> >
> >
> >  I hope you are not allowing the client to send T-SQL through the
query
> > string.  Consider them sending something like
> > File.php?Query='; drop table XXX; --
> >
> > Charles Killmer
> >
> > -----Original Message-----
> > From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx]
> > Sent: Thursday, May 20, 2004 8:25 AM
> > To: php-windows@xxxxxxxxxxxxx
> > Subject:  Passing +, =, - at post and get
> >
> > Hi,
> >
> > I want to be able to pass the '=', '+' and '-' characters both from
a
> > web form and as part of a url, to enable a better way of searching.
> > However, these characters are choking my IIS webserver and not
getting
> > through to the script.
> >
> > Can anyone suggest a better way of achieving this?
> >
> > Cheers
> >
> > George
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/) To unsubscribe,
visit:
> > http://www.php.net/unsub.php
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux