Posted by Schraalhans Keukenmeester on 02/17/07 18:38

alanbe wrote:
> Someone filled out a comment form to me with the following string
> within the message:
>
>
> #file=E:\\util\\xr32\\Projects\\www42t35Href.txt
>
>
> The comments are stored in a mysql database
> When php generates the page to display this field, it looks like this:
>
> #file=E:\util\xr32\\Projects\www42t35Href.txt
>
>
> If I use something like
> DELETE FROM database where lower(`comments`) like "%file=
> %"
>
> or if i try
> DELETE FROM database where lower(`comments`) like "%\%"
>
>
> it fails to detect the string.
>
> How do I detect and rid this kind of posting?
>

If this is in your db, I gather you (also) haven't got good measures in
your script preventing SQL injection? If that's the case it's really
easy to do a lot of damage to your database.

Google has plenty hits on this topic, if it's new to you, read up!
PHP has a function to prevent harmful user input strings from wreaking
havoc on your db: mysql_real_escape_string() could be a real friend.

Sh.

• Next in forum: Determining filetype
• Prev in forum: Re: How to detect and delete a string like this
• Thread view: Re: How to detect and delete a string like this

[Reply to this message]