Posted by Arjen on 02/17/07 18:26

alanbe schreef:
> Someone filled out a comment form to me with the following string
> within the message:
>
>
> #file=E:\\util\\xr32\\Projects\\www42t35Href.txt
>
>
> The comments are stored in a mysql database
> When php generates the page to display this field, it looks like this:
>
> #file=E:\util\xr32\\Projects\www42t35Href.txt
>
>
> If I use something like
> DELETE FROM database where lower(`comments`) like "%file=
> %"
>
> or if i try
> DELETE FROM database where lower(`comments`) like "%\%"
>
>
> it fails to detect the string.
>
> How do I detect and rid this kind of posting?

Why loop through the db ? Get ahead of this and check your post
variables :-)

foreach ($_POST as $strToCheck)
{
if stristr('file=',$strToCheck)
{
echo 'bad words';exit;
}
}

--
Arjen
http://www.hondenpage.com

[Back to original message]