Posted by alanbe on 02/17/07 14:54

Someone filled out a comment form to me with the following string
within the message:


#file=E:\\util\\xr32\\Projects\\www42t35Href.txt


The comments are stored in a mysql database
When php generates the page to display this field, it looks like this:

#file=E:\util\xr32\\Projects\www42t35Href.txt


If I use something like
DELETE FROM database where lower(`comments`) like "%file=
%"

or if i try
DELETE FROM database where lower(`comments`) like "%\%"


it fails to detect the string.

How do I detect and rid this kind of posting?

[Back to original message]