RE: Passing +, =, - at post and get

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Anders,

Thanks for the tips. I've resolved the post/get problem.

Cheers

George

> -----Original Message-----
> From: Svensson, B.A.T. (HKG) [mailto:B.A.T.Svensson@xxxxxxx]
> Sent: 20 May 2004 3:48 pm
> To: 'php-windows@xxxxxxxxxxxxx '
> Subject: RE:  Passing +, =, - at post and get
> 
> 
> In your second if you do a count on the occurence of a character,
> but don't use the result, why not use strpos() directly? 
> 
> Also if you just want to replace a single char with another
> single char, then you might like to do like this:
> 
>   $String = implode(explode($String, $OldChar), $NewChar);
> 
> 
> 
> -----Original Message-----
> From: George Pitcher
> To: php-windows@xxxxxxxxxxxxx
> Sent: 20-5-2004 15:43
> Subject: RE:  Passing +, =, - at post and get
> 
> And doing a bit more, I find that '=' and '-' are passing through OK so
> I'll
> need to train my users to use an alternative to '+'.
> 
> The choking seems to be with my parsing function, which I have pasted in
> below:
> =================================================
> function sql_fltr($sql,$field,$input){
> 	if(strlen($input)>0){
> 		if( substr_count($input,"=")>0 | substr_count($input,"
> -")>0 |
> substr_count($input," +")>0 ){
> 			$output = "";
> 			$temp = str_replace(" -","|-",(str_replace("
> -","|-",($input))));
> 			$temp = explode("|",$temp);
> 			for ($i = 0; $i <= sizeof($temp); $i++){
> 				if (substr($temp[$i],0,1)=="*"){
> 					$temp[$i] = $field." like
> '".rtrim(str_replace("*","%",$temp[$i]))."%'";
> 					$output.= $temp[$i]."|";
> 				} elseif (substr($temp[$i],0,1)=="-"){
> 					$temp[$i] = " and ".$field." not
> like
> '".rtrim(str_replace("*","%",$temp[$i]))."'";
> 					$output.= $temp[$i]."|";
> 				} elseif (substr($temp[$i],0,1)=="="){
> 					$temp[$i] = " and
> ".$field."='".rtrim(str_replace("=","",$temp[$i]))."'";
> 					$output.= $temp[$i]."|";
> 				} elseif (substr($temp[$i],0,1)!="+" &&
> substr($temp[$i],0,1)!="-"&&substr($temp[$i],0,1)!="*" &&
> substr($temp[$i],0,1)!="="){
> 					$temp[$i] = "and ".$field." like
> '%".rtrim(str_replace("=","",$temp[$i]))."'";
> 					$output.= $temp[$i]."|";
> 				} else {
> 					$temp[$i] = "
> ".$field."='".rtrim($temp[$i])."'";
> 					$output.= $temp[$i]."|";
> 				}
> 			}
> 			$output = " AND
> ".substr($output,0,strlen($output)-1);
> 		} else {
> 			$temp = $input;
> 			if (substr($temp,0,1)=="*"){
> 				$temp = $field." like
> '".rtrim(str_replace("*","%",$temp))."'";
> 			} elseif (substr($temp,0,1)=="-"){
> 				$temp = $field." not like
> '".rtrim(str_replace("*","%",$temp))."'";
> 			} elseif (substr($temp,0,1)=="="){
> 				$temp =
> $field."='".rtrim(str_replace("=","",$temp))."'";
> 			} elseif (substr($temp,0,1)!="+" &&
> substr($temp,0,1)!="-"&&substr($temp,0,1)!="*" &&
> substr($temp,0,1)!="="){
> 				$temp = $field." like
> '%".rtrim(str_replace("=","",$temp))."'";
> 			} else {
> 				$temp = $field."='".rtrim($temp)."'";
> 			}
> 			$output = " AND ".$temp;
> 		}
> 	} else {
> 		$output = "";
> 	}
> 	return $output;
> }
> =================================================
> This works fine if the user has eneterd either no control or the *
> wildcared
> with the criteria.
> 
> Any suggestions?
> 
> Cheers
> 
> George
> 
> 
> > -----Original Message-----
> > From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx]
> > Sent: 20 May 2004 2:33 pm
> > To: php-windows@xxxxxxxxxxxxx
> > Subject: RE:  Passing +, =, - at post and get
> >
> >
> > Charles,
> >
> > No way! This site will only have about 3-4 users as its an
> > intranet and I'll
> > be parsing everything at the server end.
> >
> > George
> >
> >
> > > -----Original Message-----
> > > From: Charles P. Killmer [mailto:charlesk@xxxxxxxxxxxxxxxxxxxxx]
> > > Sent: 20 May 2004 2:31 pm
> > > To: php-windows@xxxxxxxxxxxxx
> > > Subject: RE:  Passing +, =, - at post and get
> > >
> > >
> > >  I hope you are not allowing the client to send T-SQL through the
> query
> > > string.  Consider them sending something like
> > > File.php?Query='; drop table XXX; --
> > >
> > > Charles Killmer
> > >
> > > -----Original Message-----
> > > From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx]
> > > Sent: Thursday, May 20, 2004 8:25 AM
> > > To: php-windows@xxxxxxxxxxxxx
> > > Subject:  Passing +, =, - at post and get
> > >
> > > Hi,
> > >
> > > I want to be able to pass the '=', '+' and '-' characters both from
> a
> > > web form and as part of a url, to enable a better way of searching.
> > > However, these characters are choking my IIS webserver and not
> getting
> > > through to the script.
> > >
> > > Can anyone suggest a better way of achieving this?
> > >
> > > Cheers
> > >
> > > George
> > >
> > > --
> > > PHP Windows Mailing List (http://www.php.net/) To unsubscribe,
> visit:
> > > http://www.php.net/unsub.php
> > >
> > > --
> > > PHP Windows Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
> -- 
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> -- 
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux