Database abuse help needed
Database abuse help needed
am 10.03.2006 00:21:25 von Chris Payne
------=_NextPart_000_0014_01C643A6.47682EC0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@mail.ru" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a better way
to say check EVERY variable for a specific set of words rather than doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it when the
attacks happen, but i'd like to be able to have a string which checks all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@whatever.com " ....... I could just have a simple statement with a
group of words, and if one of the words appears it takes an action I specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing the same
scripts with different variables, i'd love to just grab all the variables
from the form and perform the action ONCE on the incoming form data and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
------=_NextPart_000_0014_01C643A6.47682EC0--
RE: Database abuse help needed
am 10.03.2006 00:31:18 von Dwight Altman
If you POST from your form use $_POST, or $_GET for a form GET
foreach($_POST as $key => $value){
if( strpos($value, $findme) !== false ){
//$findme was found in $value
}
}
http://php.net/manual/en/reserved.variables.php
http://us2.php.net/manual/en/control-structures.foreach.php
http://us2.php.net/strpos Yes, that's !== or ===
-----Original Message-----
From: Chris Payne [mailto:chris@artistwd.com]
Sent: Thursday, March 09, 2006 5:21 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Database abuse help needed
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@mail.ru" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a better way
to say check EVERY variable for a specific set of words rather than doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it when the
attacks happen, but i'd like to be able to have a string which checks all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@whatever.com " ....... I could just have a simple statement with a
group of words, and if one of the words appears it takes an action I specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing the same
scripts with different variables, i'd love to just grab all the variables
from the form and perform the action ONCE on the incoming form data and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Database abuse help needed
am 10.03.2006 03:40:21 von Chris Payne
Thank you for that. And excuse the inexperience, but how would I use an
Array with the below? I mean say I had words such as this,is,a,bad,word
(Just as examples as I can't post what I'm trying to block on here) how
would I loop through those to check if any of them exist and if they do THEN
execute the error script? I'm not too good with Arrays - but I'm learning.
Thank you
Chris
If you POST from your form use $_POST, or $_GET for a form GET
foreach($_POST as $key => $value){
if( strpos($value, $findme) !== false ){
//$findme was found in $value
}
}
http://php.net/manual/en/reserved.variables.php
http://us2.php.net/manual/en/control-structures.foreach.php
http://us2.php.net/strpos Yes, that's !== or ===
-----Original Message-----
From: Chris Payne [mailto:chris@artistwd.com]
Sent: Thursday, March 09, 2006 5:21 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Database abuse help needed
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@mail.ru" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a better way
to say check EVERY variable for a specific set of words rather than doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it when the
attacks happen, but i'd like to be able to have a string which checks all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@whatever.com " ....... I could just have a simple statement with a
group of words, and if one of the words appears it takes an action I specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing the same
scripts with different variables, i'd love to just grab all the variables
from the form and perform the action ONCE on the incoming form data and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Database abuse help needed
am 10.03.2006 03:49:58 von Bastien Koert
I use an array of 'bad' words and the in_array function to check if the data
is in the array....
Bastien
>From: "Chris Payne"
>To:
>Subject: [PHP-DB] Database abuse help needed
>Date: Thu, 9 Mar 2006 18:21:25 -0500
>
>Hi there everyone,
>
>Is there a better way I can do this?
>
>if ($email == "mur@mail.ru" OR $subject == "Rulez666"
>
>Basically, if I have data coming from a form to a DB, is there a better way
>to say check EVERY variable for a specific set of words rather than doing
>$name, $subject etc .... seperately?
>
>The reason I ask is my scripts are being exploited and I can fix it when
>the
>attacks happen, but i'd like to be able to have a string which checks all
>the form data and takes action if a word I define in a list exists.
>
>So, instead of doing if ($name == " mememe " ...... if($email == "
>Rulez666@whatever.com " ....... I could just have a simple statement with a
>group of words, and if one of the words appears it takes an action I
>specify
>such as do not proceed to add to DB etc ....
>
>Any help would be greatly appreciated as I am tired of keep writing the
>same
>scripts with different variables, i'd love to just grab all the variables
>from the form and perform the action ONCE on the incoming form data and
>then
>all the variables are affected instead of doing each one.
>
>Please save me from going nuts :-)
>
>Chris
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Database abuse help needed
am 10.03.2006 16:25:59 von Dwight Altman
Incorporating what Bastien said:
$badWordsArray = array("these" ,"are", "bad", "words");
foreach($_POST as $key => $value){
if( in_array($value, $badWordsArray) ){
//$value was found in $badWordsArray
}
}
http://us2.php.net/in_array
-----Original Message-----
From: Chris Payne [mailto:cjp@planetoxygene.com]
Sent: Thursday, March 09, 2006 8:40 PM
To: php-db@lists.php.net
Subject: RE: [PHP-DB] Database abuse help needed
Thank you for that. And excuse the inexperience, but how would I use an
Array with the below? I mean say I had words such as this,is,a,bad,word
(Just as examples as I can't post what I'm trying to block on here) how
would I loop through those to check if any of them exist and if they do THEN
execute the error script? I'm not too good with Arrays - but I'm learning.
Thank you
Chris
If you POST from your form use $_POST, or $_GET for a form GET
foreach($_POST as $key => $value){
if( strpos($value, $findme) !== false ){
//$findme was found in $value
}
}
http://php.net/manual/en/reserved.variables.php
http://us2.php.net/manual/en/control-structures.foreach.php
http://us2.php.net/strpos Yes, that's !== or ===
-----Original Message-----
From: Chris Payne [mailto:chris@artistwd.com]
Sent: Thursday, March 09, 2006 5:21 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Database abuse help needed
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@mail.ru" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a better way
to say check EVERY variable for a specific set of words rather than doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it when the
attacks happen, but i'd like to be able to have a string which checks all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@whatever.com " ....... I could just have a simple statement with a
group of words, and if one of the words appears it takes an action I specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing the same
scripts with different variables, i'd love to just grab all the variables
from the form and perform the action ONCE on the incoming form data and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
--
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
--
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Database abuse help needed
am 10.03.2006 17:53:44 von Chris Payne
Ahhh thank you everyone,
I came up with the same solution - kind of, but I used about 5 more lines of
code to achieve the same thing as below so I was on the same tracks just not
quite as efficient :-)
Chris
Incorporating what Bastien said:
$badWordsArray = array("these" ,"are", "bad", "words"); foreach($_POST as
$key => $value){
if( in_array($value, $badWordsArray) ){
//$value was found in $badWordsArray
}
}
http://us2.php.net/in_array
-----Original Message-----
From: Chris Payne [mailto:cjp@planetoxygene.com]
Sent: Thursday, March 09, 2006 8:40 PM
To: php-db@lists.php.net
Subject: RE: [PHP-DB] Database abuse help needed
Thank you for that. And excuse the inexperience, but how would I use an
Array with the below? I mean say I had words such as this,is,a,bad,word
(Just as examples as I can't post what I'm trying to block on here) how
would I loop through those to check if any of them exist and if they do THEN
execute the error script? I'm not too good with Arrays - but I'm learning.
Thank you
Chris
If you POST from your form use $_POST, or $_GET for a form GET
foreach($_POST as $key => $value){
if( strpos($value, $findme) !== false ){
//$findme was found in $value
}
}
http://php.net/manual/en/reserved.variables.php
http://us2.php.net/manual/en/control-structures.foreach.php
http://us2.php.net/strpos Yes, that's !== or ===
-----Original Message-----
From: Chris Payne [mailto:chris@artistwd.com]
Sent: Thursday, March 09, 2006 5:21 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Database abuse help needed
Hi there everyone,
Is there a better way I can do this?
if ($email == "mur@mail.ru" OR $subject == "Rulez666"
Basically, if I have data coming from a form to a DB, is there a better way
to say check EVERY variable for a specific set of words rather than doing
$name, $subject etc .... seperately?
The reason I ask is my scripts are being exploited and I can fix it when the
attacks happen, but i'd like to be able to have a string which checks all
the form data and takes action if a word I define in a list exists.
So, instead of doing if ($name == " mememe " ...... if($email == "
Rulez666@whatever.com " ....... I could just have a simple statement with a
group of words, and if one of the words appears it takes an action I specify
such as do not proceed to add to DB etc ....
Any help would be greatly appreciated as I am tired of keep writing the same
scripts with different variables, i'd love to just grab all the variables
from the form and perform the action ONCE on the incoming form data and then
all the variables are affected instead of doing each one.
Please save me from going nuts :-)
Chris
--
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
--
--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 11.03.2006 13:53:07 von Julien Bonastre
Well this is cute, really it is.
Kudos to all the in_array ideas and so forth
But really this is just an example.
In reality this wouldn't work how you've planned.
For example take this quite realistic possibility.
Lets assume the word "bad" is in your array of bad words
Now for realistic reasons I will tell you now that the word "bad" I am
going to use as the word we all know exists as a derogatory slang form
of human reproduction or cursing [its starts with an F in case you
haven't figured it out yet, four letters, ends in K, got it yet? ]
Now as we know this "bad" word can be written many ways, remember, I
won't use real word, just our safe-substitute:
bad, bader, bading, baden, badhead, badwit, badoff, baded,
and there maybe many more I can't think of....
Point being? unless you do something more exotic than a precise word
match then it won't get these suffixed versions, or even altered
spelling versions.
Now the next even larger problem?
This in_array thing? Its cute, but if you have more than one word in any
of your POST variables [which would be pretty safe to assume unless you
have a bad habit of sending those one word subject, one word content,
one word sender types of emails]
then it won't work either
If this is passed as say $_POST["name"]="You are a bad head!"
your little snippet here will try to match "You are a bad head" to
singular words such as ["this" "is" "a" "bad" "word"]
What you need is to break up each word in your string, then do some form
of processing ;-)
Ok ok, so you want the secrets now don't you??
Ok try signing up at these sites with names like: root, radix, admin, or
some common profanity, which is located anywhere in the username, alias,
etc:
http://www.befitcommunity.com
www.the-spectrum.org
Exactly..
Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
expressions
OH SUPRISE SUPRISE, maybe they were invented for a purpose???
Its ok, nevermind, its a personal joke of mine on this list, it seems 2%
of the PHP dev population is aware of what a regular expression is, and
only 5% of those 2% know how to write a functioning OH SO difficult
expression pattern..
Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
text books to master how to handle myself with a regular expression
parser]:
$SYSTEM["REX_FILTER"]=Array();
$SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+ $/i";
$SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
//$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\- \ ]+|[a-zA-Z\_\-\
]+[0-9]+).*[0-9]*$/i";
$SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!Çüéâäàåçêëè ïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
$SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\- ]+\.[A-Za-z0-9\-]{2,}/i";
$SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòû ùÿÖÜ¢£¥]+$/i";
$SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master |root)|root|forum|profile|preview|befit/i";
$SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wank er|dick([^ ]*(head|suck|lick)))/i";
if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
$errarr[]=$owner."user name must be between 5 and 32 characters
[inclusive]";
elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_name"]))
$errarr[]=$owner."user name must start with at least 2 alphabetical
characters and must be followed by only alphanumerical characters and/or
the following characters: - (hyphen) _ (underscore) \" \" (space)";
elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["user_name"]))
$errarr[]=$owner."user name contains reserved or system words";
elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_name"]))
$errarr[]=$owner."user name contains \"inappropriate\" or \"offensive\"
words";
Ok so first that from two far and distant libraries on my site, first
part with Array definition is contained in a global core variable
definition library I have...
its basically just there to define the chosen patterns I've chosen to
use for particular different fields. Easy enough?
Then I have the second part, which uses the PCRE [perl compat reg exp]
handler functions of PHP to attempt matching my patterns to the given
inputs from user.
Easy right???
Too easy, and extremely fast and effective...
Feel free to pick me apart though, I'd love to hear all the negative
things people have to say about regular expressions.
They are like cars I find, everyone bitches about how expensive they are
to run, but wouldn't we be BADed without them!?!?!?
---oOo--- Allowing users to execute CGI scripts in any directory should
only be considered if: ... a.. You have no users, and nobody ever visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@the-spectrum.org
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Chris Payne"
To:
Sent: Saturday, March 11, 2006 2:53 AM
Subject: RE: [PHP-DB] Database abuse help needed
> Ahhh thank you everyone,
>
> I came up with the same solution - kind of, but I used about 5 more
> lines of
> code to achieve the same thing as below so I was on the same tracks
> just not
> quite as efficient :-)
>
> Chris
>
> Incorporating what Bastien said:
>
> $badWordsArray = array("these" ,"are", "bad", "words"); foreach($_POST
> as
> $key => $value){
> if( in_array($value, $badWordsArray) ){
> //$value was found in $badWordsArray
> }
> }
>
> http://us2.php.net/in_array
>
> -----Original Message-----
> From: Chris Payne [mailto:cjp@planetoxygene.com]
> Sent: Thursday, March 09, 2006 8:40 PM
> To: php-db@lists.php.net
> Subject: RE: [PHP-DB] Database abuse help needed
>
> Thank you for that. And excuse the inexperience, but how would I use
> an
> Array with the below? I mean say I had words such as
> this,is,a,bad,word
> (Just as examples as I can't post what I'm trying to block on here)
> how
> would I loop through those to check if any of them exist and if they
> do THEN
> execute the error script? I'm not too good with Arrays - but I'm
> learning.
>
> Thank you
>
> Chris
>
> If you POST from your form use $_POST, or $_GET for a form GET
>
> foreach($_POST as $key => $value){
> if( strpos($value, $findme) !== false ){
> //$findme was found in $value
> }
> }
>
> http://php.net/manual/en/reserved.variables.php
> http://us2.php.net/manual/en/control-structures.foreach.php
> http://us2.php.net/strpos Yes, that's !== or ===
>
> -----Original Message-----
> From: Chris Payne [mailto:chris@artistwd.com]
> Sent: Thursday, March 09, 2006 5:21 PM
> To: php-db@lists.php.net
> Subject: [PHP-DB] Database abuse help needed
>
> Hi there everyone,
>
> Is there a better way I can do this?
>
> if ($email == "mur@mail.ru" OR $subject == "Rulez666"
>
> Basically, if I have data coming from a form to a DB, is there a
> better way
> to say check EVERY variable for a specific set of words rather than
> doing
> $name, $subject etc .... seperately?
>
> The reason I ask is my scripts are being exploited and I can fix it
> when the
> attacks happen, but i'd like to be able to have a string which checks
> all
> the form data and takes action if a word I define in a list exists.
>
> So, instead of doing if ($name == " mememe " ...... if($email == "
> Rulez666@whatever.com " ....... I could just have a simple statement
> with a
> group of words, and if one of the words appears it takes an action I
> specify
> such as do not proceed to add to DB etc ....
>
> Any help would be greatly appreciated as I am tired of keep writing
> the same
> scripts with different variables, i'd love to just grab all the
> variables
> from the form and perform the action ONCE on the incoming form data
> and then
> all the variables are affected instead of doing each one.
>
> Please save me from going nuts :-)
>
> Chris
>
> --
>
>
> --
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> 3/9/2006
>
> --
>
> --
> PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
> http://www.php.net/unsub.php
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> 3/9/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> 7/03/2006
>
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 11.03.2006 15:18:06 von Ludvig Ericson
Erm, dude, chill out with the elitism.
I think there's more then 2% knowing about regexes, and more then 5%
of those 2% that can write "oh-so-complex regular expressions"
(Either GMail mangled the indentation or you need help with that part,
by the way >_>)
Oh and you complain about it not catching spelling mistakes? Yours
doesn't either - want to know why? Because they're so unpredictable.
Cheers, toxik
On 3/11/06, Julien Bonastre wrote:
> Well this is cute, really it is.
>
>
> Kudos to all the in_array ideas and so forth
>
>
> But really this is just an example.
>
> In reality this wouldn't work how you've planned.
>
>
> For example take this quite realistic possibility.
>
> Lets assume the word "bad" is in your array of bad words
>
>
> Now for realistic reasons I will tell you now that the word "bad" I am
> going to use as the word we all know exists as a derogatory slang form
> of human reproduction or cursing [its starts with an F in case you
> haven't figured it out yet, four letters, ends in K, got it yet? ]
>
> Now as we know this "bad" word can be written many ways, remember, I
> won't use real word, just our safe-substitute:
> bad, bader, bading, baden, badhead, badwit, badoff, baded,
>
> and there maybe many more I can't think of....
>
> Point being? unless you do something more exotic than a precise word
> match then it won't get these suffixed versions, or even altered
> spelling versions.
>
>
> Now the next even larger problem?
>
> This in_array thing? Its cute, but if you have more than one word in any
> of your POST variables [which would be pretty safe to assume unless you
> have a bad habit of sending those one word subject, one word content,
> one word sender types of emails]
> then it won't work either
>
>
> If this is passed as say $_POST["name"]=3D"You are a bad head!"
>
> your little snippet here will try to match "You are a bad head" to
> singular words such as ["this" "is" "a" "bad" "word"]
>
> What you need is to break up each word in your string, then do some form
> of processing ;-)
>
>
>
>
>
> Ok ok, so you want the secrets now don't you??
>
> Ok try signing up at these sites with names like: root, radix, admin, or
> some common profanity, which is located anywhere in the username, alias,
> etc:
> http://www.befitcommunity.com
> www.the-spectrum.org
>
> Exactly..
>
> Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> expressions
>
>
> OH SUPRISE SUPRISE, maybe they were invented for a purpose???
>
>
> Its ok, nevermind, its a personal joke of mine on this list, it seems 2%
> of the PHP dev population is aware of what a regular expression is, and
> only 5% of those 2% know how to write a functioning OH SO difficult
> expression pattern..
>
>
>
> Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
> text books to master how to handle myself with a regular expression
> parser]:
>
> $SYSTEM["REX_FILTER"]=3DArray();
> $SYSTEM["REX_FILTER"]["user_name"]=3D"/^[a-z]{2,}[a-z0-9\_\- ]+$/i";
> $SYSTEM["REX_FILTER"]["password"]=3D"/^[a-z0-9\_\-\ \!\.]+$/i";
> //$SYSTEM["REX_FILTER"]["password_chk"]=3D"/([0-9]+[a-zA-Z\_ \-\ ]+|[a-zA-=
Z\_\-\
> ]+[0-9]+).*[0-9]*$/i";
> $SYSTEM["REX_FILTER"]["alias"]=3D"/^[a-z0-9\.\_\-\!Çü=E9 âäàå=
çêëèïîìÄÅÉæÆôöòûùÿÖÜ ¢£=A5]+$/i"=
;
> $SYSTEM["REX_FILTER"]["email"]=3D"/^[a-z\_0-9\.]+@[A-Za-z0-9 \-]+\.[A-Za-z=
0-9\-]{2,}/i";
> $SYSTEM["REX_FILTER"]["name"]=3D"/^[a-zÇüéâäà=E5 çêëè=
ïîìÄÅÉæÆôöòûùÿÖÜ¢£=A5]+$ /i";
> $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]=3D"/admin|web.+(mast er|root)|root=
|forum|profile|preview|befit/i";
> $SYSTEM["REX_FILTER"]["BANNED_WORDS"]=3D"/(fuck|cunt|shit|wa nker|dick([^ =
]*(head|suck|lick)))/i";
>
> if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
> $errarr[]=3D$owner."user name must be between 5 and 32 characters
> [inclusive]";
>
> elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_na=
me"]))
> $errarr[]=3D$owner."user name must start with at least 2 alphabetical
> characters and must be followed by only alphanumerical characters and/or
> the following characters: - (hyphen) _ (underscore) \" \" (space)";
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["use=
r_name"]))
> $errarr[]=3D$owner."user name contains reserved or system words";
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_=
name"]))
> $errarr[]=3D$owner."user name contains \"inappropriate\" or \"offensive\"
> words";
>
>
>
> Ok so first that from two far and distant libraries on my site, first
> part with Array definition is contained in a global core variable
> definition library I have...
>
>
> its basically just there to define the chosen patterns I've chosen to
> use for particular different fields. Easy enough?
>
>
> Then I have the second part, which uses the PCRE [perl compat reg exp]
> handler functions of PHP to attempt matching my patterns to the given
> inputs from user.
>
>
> Easy right???
>
>
> Too easy, and extremely fast and effective...
>
>
>
> Feel free to pick me apart though, I'd love to hear all the negative
> things people have to say about regular expressions.
>
> They are like cars I find, everyone bitches about how expensive they are
> to run, but wouldn't we be BADed without them!?!?!?
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory should
> only be considered if: ... a.. You have no users, and nobody ever visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Chris Payne"
> To:
> Sent: Saturday, March 11, 2006 2:53 AM
> Subject: RE: [PHP-DB] Database abuse help needed
>
>
> > Ahhh thank you everyone,
> >
> > I came up with the same solution - kind of, but I used about 5 more
> > lines of
> > code to achieve the same thing as below so I was on the same tracks
> > just not
> > quite as efficient :-)
> >
> > Chris
> >
> > Incorporating what Bastien said:
> >
> > $badWordsArray =3D array("these" ,"are", "bad", "words"); foreach($_POS=
T
> > as
> > $key =3D> $value){
> > if( in_array($value, $badWordsArray) ){
> > //$value was found in $badWordsArray
> > }
> > }
> >
> > http://us2.php.net/in_array
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:cjp@planetoxygene.com]
> > Sent: Thursday, March 09, 2006 8:40 PM
> > To: php-db@lists.php.net
> > Subject: RE: [PHP-DB] Database abuse help needed
> >
> > Thank you for that. And excuse the inexperience, but how would I use
> > an
> > Array with the below? I mean say I had words such as
> > this,is,a,bad,word
> > (Just as examples as I can't post what I'm trying to block on here)
> > how
> > would I loop through those to check if any of them exist and if they
> > do THEN
> > execute the error script? I'm not too good with Arrays - but I'm
> > learning.
> >
> > Thank you
> >
> > Chris
> >
> > If you POST from your form use $_POST, or $_GET for a form GET
> >
> > foreach($_POST as $key =3D> $value){
> > if( strpos($value, $findme) !== false ){
> > //$findme was found in $value
> > }
> > }
> >
> > http://php.net/manual/en/reserved.variables.php
> > http://us2.php.net/manual/en/control-structures.foreach.php
> > http://us2.php.net/strpos Yes, that's !== or ===3D
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:chris@artistwd.com]
> > Sent: Thursday, March 09, 2006 5:21 PM
> > To: php-db@lists.php.net
> > Subject: [PHP-DB] Database abuse help needed
> >
> > Hi there everyone,
> >
> > Is there a better way I can do this?
> >
> > if ($email == "mur@mail.ru" OR $subject == "Rulez666"
> >
> > Basically, if I have data coming from a form to a DB, is there a
> > better way
> > to say check EVERY variable for a specific set of words rather than
> > doing
> > $name, $subject etc .... seperately?
> >
> > The reason I ask is my scripts are being exploited and I can fix it
> > when the
> > attacks happen, but i'd like to be able to have a string which checks
> > all
> > the form data and takes action if a word I define in a list exists.
> >
> > So, instead of doing if ($name == " mememe " ...... if($email =3D=
=3D "
> > Rulez666@whatever.com " ....... I could just have a simple statement
> > with a
> > group of words, and if one of the words appears it takes an action I
> > specify
> > such as do not proceed to add to DB etc ....
> >
> > Any help would be greatly appreciated as I am tired of keep writing
> > the same
> > scripts with different variables, i'd love to just grab all the
> > variables
> > from the form and perform the action ONCE on the incoming form data
> > and then
> > all the variables are affected instead of doing each one.
> >
> > Please save me from going nuts :-)
> >
> > Chris
> >
> > --
> >
> >
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> >
> > --
> > PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
> > http://www.php.net/unsub.php
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > 7/03/2006
> >
> >
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 12.03.2006 01:37:04 von Julien Bonastre
Yes.. elitism ;-)
That is I....
The indentation, yes, formatting of emails across different clients will
always be an issue. Regardless though, and thankfully, my code was only
a few one liners, whereby the indentation didn't play a huge role at all
in representing statements and their conditional execution basis [as
there wasn't one :p ]
Next, my snippet was an example, as I'm certain I mentioned.
A slightly modified regex could be:
/(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i
that would capture many more variations of these profanities and their
common derivatives and suffixes..
[aside]
That I assume was where you were going with the "spelling" issue???
[/end of aside]
What is unpredictable by the way?
You seem as though you are targetting the regex patterns themselves.
Remember, there is no virtually no such thing as a "computer error",
only humans that don't know how to use the computers.
if a regex behaves differently that what you expected, there is beyond a
99.9999% certainty that it is due to not having formulated the regex
correctly.
There have been many a times when even I, yes, Supreme Commander of the
entire known and even undiscovered Universe, have forged together a
pattern, ran it, achieved desired results, then realised later down the
track a certain word/condition it wasn't matching... Generally this is
due to overlooking some small condition in the pattern or a particular
situation you hadn't thought of.
For example in the above regex I give I didn't rule out strings like:
"F|_|CK"
"F\_/CK"
"D|CK"
"W/\NK"
which do look like the word I want to ensure doesn't exist on the site,
Catch is? before I run this regex I also ensure the string firstly only
contains the following char classes: /[a-z0-9_-]/i
There we go..
Anyway, pick me more, please I love it!!!
---oOo--- Allowing users to execute CGI scripts in any directory should
only be considered if: ... a.. You have no users, and nobody ever visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@the-spectrum.org
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Ludvig Ericson"
To: "Julien Bonastre"
Cc: "Chris Payne" ;
Sent: Sunday, March 12, 2006 12:18 AM
Subject: Re: [PHP-DB] Database abuse help needed
Erm, dude, chill out with the elitism.
I think there's more then 2% knowing about regexes, and more then 5%
of those 2% that can write "oh-so-complex regular expressions"
(Either GMail mangled the indentation or you need help with that part,
by the way >_>)
Oh and you complain about it not catching spelling mistakes? Yours
doesn't either - want to know why? Because they're so unpredictable.
Cheers, toxik
On 3/11/06, Julien Bonastre wrote:
> Well this is cute, really it is.
>
>
> Kudos to all the in_array ideas and so forth
>
>
> But really this is just an example.
>
> In reality this wouldn't work how you've planned.
>
>
> For example take this quite realistic possibility.
>
> Lets assume the word "bad" is in your array of bad words
>
>
> Now for realistic reasons I will tell you now that the word "bad" I am
> going to use as the word we all know exists as a derogatory slang form
> of human reproduction or cursing [its starts with an F in case you
> haven't figured it out yet, four letters, ends in K, got it yet? ]
>
> Now as we know this "bad" word can be written many ways, remember, I
> won't use real word, just our safe-substitute:
> bad, bader, bading, baden, badhead, badwit, badoff, baded,
>
> and there maybe many more I can't think of....
>
> Point being? unless you do something more exotic than a precise word
> match then it won't get these suffixed versions, or even altered
> spelling versions.
>
>
> Now the next even larger problem?
>
> This in_array thing? Its cute, but if you have more than one word in
> any
> of your POST variables [which would be pretty safe to assume unless
> you
> have a bad habit of sending those one word subject, one word content,
> one word sender types of emails]
> then it won't work either
>
>
> If this is passed as say $_POST["name"]="You are a bad head!"
>
> your little snippet here will try to match "You are a bad head" to
> singular words such as ["this" "is" "a" "bad" "word"]
>
> What you need is to break up each word in your string, then do some
> form
> of processing ;-)
>
>
>
>
>
> Ok ok, so you want the secrets now don't you??
>
> Ok try signing up at these sites with names like: root, radix, admin,
> or
> some common profanity, which is located anywhere in the username,
> alias,
> etc:
> http://www.befitcommunity.com
> www.the-spectrum.org
>
> Exactly..
>
> Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> expressions
>
>
> OH SUPRISE SUPRISE, maybe they were invented for a purpose???
>
>
> Its ok, nevermind, its a personal joke of mine on this list, it seems
> 2%
> of the PHP dev population is aware of what a regular expression is,
> and
> only 5% of those 2% know how to write a functioning OH SO difficult
> expression pattern..
>
>
>
> Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
> text books to master how to handle myself with a regular expression
> parser]:
>
> $SYSTEM["REX_FILTER"]=Array();
> $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+ $/i";
> $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
> //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\- \ ]+|[a-zA-Z\_\-\
> ]+[0-9]+).*[0-9]*$/i";
> $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!Çüéâäàåçêëè ïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\- ]+\.[A-Za-z0-9\-]{2,}/i";
> $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòû ùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master |root)|root|forum|profile|preview|befit/i";
> $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wank er|dick([^
> ]*(head|suck|lick)))/i";
>
> if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
> $errarr[]=$owner."user name must be between 5 and 32 characters
> [inclusive]";
>
>
> elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_name"]))
> $errarr[]=$owner."user name must start with at least 2 alphabetical
> characters and must be followed by only alphanumerical characters
> and/or
> the following characters: - (hyphen) _ (underscore) \" \" (space)";
>
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["user_name"]))
> $errarr[]=$owner."user name contains reserved or system words";
>
>
> elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_name"]))
> $errarr[]=$owner."user name contains \"inappropriate\" or
> \"offensive\"
> words";
>
>
>
> Ok so first that from two far and distant libraries on my site, first
> part with Array definition is contained in a global core variable
> definition library I have...
>
>
> its basically just there to define the chosen patterns I've chosen to
> use for particular different fields. Easy enough?
>
>
> Then I have the second part, which uses the PCRE [perl compat reg exp]
> handler functions of PHP to attempt matching my patterns to the given
> inputs from user.
>
>
> Easy right???
>
>
> Too easy, and extremely fast and effective...
>
>
>
> Feel free to pick me apart though, I'd love to hear all the negative
> things people have to say about regular expressions.
>
> They are like cars I find, everyone bitches about how expensive they
> are
> to run, but wouldn't we be BADed without them!?!?!?
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory
> should
> only be considered if: ... a.. You have no users, and nobody ever
> visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Chris Payne"
> To:
> Sent: Saturday, March 11, 2006 2:53 AM
> Subject: RE: [PHP-DB] Database abuse help needed
>
>
> > Ahhh thank you everyone,
> >
> > I came up with the same solution - kind of, but I used about 5 more
> > lines of
> > code to achieve the same thing as below so I was on the same tracks
> > just not
> > quite as efficient :-)
> >
> > Chris
> >
> > Incorporating what Bastien said:
> >
> > $badWordsArray = array("these" ,"are", "bad", "words");
> > foreach($_POST
> > as
> > $key => $value){
> > if( in_array($value, $badWordsArray) ){
> > //$value was found in $badWordsArray
> > }
> > }
> >
> > http://us2.php.net/in_array
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:cjp@planetoxygene.com]
> > Sent: Thursday, March 09, 2006 8:40 PM
> > To: php-db@lists.php.net
> > Subject: RE: [PHP-DB] Database abuse help needed
> >
> > Thank you for that. And excuse the inexperience, but how would I
> > use
> > an
> > Array with the below? I mean say I had words such as
> > this,is,a,bad,word
> > (Just as examples as I can't post what I'm trying to block on here)
> > how
> > would I loop through those to check if any of them exist and if they
> > do THEN
> > execute the error script? I'm not too good with Arrays - but I'm
> > learning.
> >
> > Thank you
> >
> > Chris
> >
> > If you POST from your form use $_POST, or $_GET for a form GET
> >
> > foreach($_POST as $key => $value){
> > if( strpos($value, $findme) !== false ){
> > //$findme was found in $value
> > }
> > }
> >
> > http://php.net/manual/en/reserved.variables.php
> > http://us2.php.net/manual/en/control-structures.foreach.php
> > http://us2.php.net/strpos Yes, that's !== or ===
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:chris@artistwd.com]
> > Sent: Thursday, March 09, 2006 5:21 PM
> > To: php-db@lists.php.net
> > Subject: [PHP-DB] Database abuse help needed
> >
> > Hi there everyone,
> >
> > Is there a better way I can do this?
> >
> > if ($email == "mur@mail.ru" OR $subject == "Rulez666"
> >
> > Basically, if I have data coming from a form to a DB, is there a
> > better way
> > to say check EVERY variable for a specific set of words rather than
> > doing
> > $name, $subject etc .... seperately?
> >
> > The reason I ask is my scripts are being exploited and I can fix it
> > when the
> > attacks happen, but i'd like to be able to have a string which
> > checks
> > all
> > the form data and takes action if a word I define in a list exists.
> >
> > So, instead of doing if ($name == " mememe " ...... if($email == "
> > Rulez666@whatever.com " ....... I could just have a simple statement
> > with a
> > group of words, and if one of the words appears it takes an action I
> > specify
> > such as do not proceed to add to DB etc ....
> >
> > Any help would be greatly appreciated as I am tired of keep writing
> > the same
> > scripts with different variables, i'd love to just grab all the
> > variables
> > from the form and perform the action ONCE on the incoming form data
> > and then
> > all the variables are affected instead of doing each one.
> >
> > Please save me from going nuts :-)
> >
> > Chris
> >
> > --
> >
> >
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> >
> > --
> > PHP Database Mailing List (http://www.php.net/) To unsubscribe,
> > visit:
> > http://www.php.net/unsub.php
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > 7/03/2006
> >
> >
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
10/03/2006
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 12.03.2006 02:31:43 von Ludvig Ericson
Well, no matter how long you spend on coding a regex - no sane one
would capture all misspellings possible. It's impossible. Think of
these: fukc, fucck, f uck, fu ck, fuc k, f ukc, fu kc, fuk c, fu kk,
fawk, faak, fak, etc.
There are quite a lot
A not too sober Ludvig.
On 3/12/06, Julien Bonastre wrote:
> Yes.. elitism ;-)
>
> That is I....
>
> The indentation, yes, formatting of emails across different clients will
> always be an issue. Regardless though, and thankfully, my code was only
> a few one liners, whereby the indentation didn't play a huge role at all
> in representing statements and their conditional execution basis [as
> there wasn't one :p ]
>
> Next, my snippet was an example, as I'm certain I mentioned.
>
> A slightly modified regex could be:
>
> /(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i
>
>
> that would capture many more variations of these profanities and their
> common derivatives and suffixes..
>
>
>
> [aside]
> That I assume was where you were going with the "spelling" issue???
> [/end of aside]
>
>
> What is unpredictable by the way?
>
>
> You seem as though you are targetting the regex patterns themselves.
>
>
> Remember, there is no virtually no such thing as a "computer error",
> only humans that don't know how to use the computers.
>
>
> if a regex behaves differently that what you expected, there is beyond a
> 99.9999% certainty that it is due to not having formulated the regex
> correctly.
>
>
> There have been many a times when even I, yes, Supreme Commander of the
> entire known and even undiscovered Universe, have forged together a
> pattern, ran it, achieved desired results, then realised later down the
> track a certain word/condition it wasn't matching... Generally this is
> due to overlooking some small condition in the pattern or a particular
> situation you hadn't thought of.
>
>
> For example in the above regex I give I didn't rule out strings like:
> "F|_|CK"
> "F\_/CK"
> "D|CK"
> "W/\NK"
>
> which do look like the word I want to ensure doesn't exist on the site,
>
> Catch is? before I run this regex I also ensure the string firstly only
> contains the following char classes: /[a-z0-9_-]/i
>
> There we go..
>
>
>
> Anyway, pick me more, please I love it!!!
>
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory should
> only be considered if: ... a.. You have no users, and nobody ever visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Ludvig Ericson"
> To: "Julien Bonastre"
> Cc: "Chris Payne" ;
> Sent: Sunday, March 12, 2006 12:18 AM
> Subject: Re: [PHP-DB] Database abuse help needed
>
>
> Erm, dude, chill out with the elitism.
> I think there's more then 2% knowing about regexes, and more then 5%
> of those 2% that can write "oh-so-complex regular expressions"
>
> (Either GMail mangled the indentation or you need help with that part,
> by the way >_>)
>
> Oh and you complain about it not catching spelling mistakes? Yours
> doesn't either - want to know why? Because they're so unpredictable.
>
> Cheers, toxik
>
> On 3/11/06, Julien Bonastre wrote:
> > Well this is cute, really it is.
> >
> >
> > Kudos to all the in_array ideas and so forth
> >
> >
> > But really this is just an example.
> >
> > In reality this wouldn't work how you've planned.
> >
> >
> > For example take this quite realistic possibility.
> >
> > Lets assume the word "bad" is in your array of bad words
> >
> >
> > Now for realistic reasons I will tell you now that the word "bad" I am
> > going to use as the word we all know exists as a derogatory slang form
> > of human reproduction or cursing [its starts with an F in case you
> > haven't figured it out yet, four letters, ends in K, got it yet? ]
> >
> > Now as we know this "bad" word can be written many ways, remember, I
> > won't use real word, just our safe-substitute:
> > bad, bader, bading, baden, badhead, badwit, badoff, baded,
> >
> > and there maybe many more I can't think of....
> >
> > Point being? unless you do something more exotic than a precise word
> > match then it won't get these suffixed versions, or even altered
> > spelling versions.
> >
> >
> > Now the next even larger problem?
> >
> > This in_array thing? Its cute, but if you have more than one word in
> > any
> > of your POST variables [which would be pretty safe to assume unless
> > you
> > have a bad habit of sending those one word subject, one word content,
> > one word sender types of emails]
> > then it won't work either
> >
> >
> > If this is passed as say $_POST["name"]=3D"You are a bad head!"
> >
> > your little snippet here will try to match "You are a bad head" to
> > singular words such as ["this" "is" "a" "bad" "word"]
> >
> > What you need is to break up each word in your string, then do some
> > form
> > of processing ;-)
> >
> >
> >
> >
> >
> > Ok ok, so you want the secrets now don't you??
> >
> > Ok try signing up at these sites with names like: root, radix, admin,
> > or
> > some common profanity, which is located anywhere in the username,
> > alias,
> > etc:
> > http://www.befitcommunity.com
> > www.the-spectrum.org
> >
> > Exactly..
> >
> > Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> > expressions
> >
> >
> > OH SUPRISE SUPRISE, maybe they were invented for a purpose???
> >
> >
> > Its ok, nevermind, its a personal joke of mine on this list, it seems
> > 2%
> > of the PHP dev population is aware of what a regular expression is,
> > and
> > only 5% of those 2% know how to write a functioning OH SO difficult
> > expression pattern..
> >
> >
> >
> > Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
> > text books to master how to handle myself with a regular expression
> > parser]:
> >
> > $SYSTEM["REX_FILTER"]=3DArray();
> > $SYSTEM["REX_FILTER"]["user_name"]=3D"/^[a-z]{2,}[a-z0-9\_\- ]+$/i";
> > $SYSTEM["REX_FILTER"]["password"]=3D"/^[a-z0-9\_\-\ \!\.]+$/i";
> > //$SYSTEM["REX_FILTER"]["password_chk"]=3D"/([0-9]+[a-zA-Z\_ \-\ ]+|[a-z=
A-Z\_\-\
> > ]+[0-9]+).*[0-9]*$/i";
> > $SYSTEM["REX_FILTER"]["alias"]=3D"/^[a-z0-9\.\_\-\!Çü=E9 âä=E0=
åçêëèïîìÄÅÉæÆôöòûùÿÖ Ü¢£¥]+$=
/i";
> > $SYSTEM["REX_FILTER"]["email"]=3D"/^[a-z\_0-9\.]+@[A-Za-z0-9 \-]+\.[A-Za=
-z0-9\-]{2,}/i";
> > $SYSTEM["REX_FILTER"]["name"]=3D"/^[a-zÇüéâäà=E5 çê=EB=
èïîìÄÅÉæÆôöòûùÿÖÜ¢£¥ ]+$/i";
> > $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]=3D"/admin|web.+(mast er|root)|ro=
ot|forum|profile|preview|befit/i";
> > $SYSTEM["REX_FILTER"]["BANNED_WORDS"]=3D"/(fuck|cunt|shit|wa nker|dick([=
^
> > ]*(head|suck|lick)))/i";
> >
> > if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
> > $errarr[]=3D$owner."user name must be between 5 and 32 characters
> > [inclusive]";
> >
> >
> > elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_name=
"]))
> > $errarr[]=3D$owner."user name must start with at least 2 alphabetical
> > characters and must be followed by only alphanumerical characters
> > and/or
> > the following characters: - (hyphen) _ (underscore) \" \" (space)";
> >
> >
> > elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["user_=
name"]))
> > $errarr[]=3D$owner."user name contains reserved or system words";
> >
> >
> > elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_na=
me"]))
> > $errarr[]=3D$owner."user name contains \"inappropriate\" or
> > \"offensive\"
> > words";
> >
> >
> >
> > Ok so first that from two far and distant libraries on my site, first
> > part with Array definition is contained in a global core variable
> > definition library I have...
> >
> >
> > its basically just there to define the chosen patterns I've chosen to
> > use for particular different fields. Easy enough?
> >
> >
> > Then I have the second part, which uses the PCRE [perl compat reg exp]
> > handler functions of PHP to attempt matching my patterns to the given
> > inputs from user.
> >
> >
> > Easy right???
> >
> >
> > Too easy, and extremely fast and effective...
> >
> >
> >
> > Feel free to pick me apart though, I'd love to hear all the negative
> > things people have to say about regular expressions.
> >
> > They are like cars I find, everyone bitches about how expensive they
> > are
> > to run, but wouldn't we be BADed without them!?!?!?
> >
> >
> > ---oOo--- Allowing users to execute CGI scripts in any directory
> > should
> > only be considered if: ... a.. You have no users, and nobody ever
> > visits
> > your server. ... Extracted Quote: Security Tips - Apache HTTP
> > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> > julien@the-spectrum.org
> > www.the-spectrum.org ------oOo---------------oOo------
> > ----- Original Message -----
> > From: "Chris Payne"
> > To:
> > Sent: Saturday, March 11, 2006 2:53 AM
> > Subject: RE: [PHP-DB] Database abuse help needed
> >
> >
> > > Ahhh thank you everyone,
> > >
> > > I came up with the same solution - kind of, but I used about 5 more
> > > lines of
> > > code to achieve the same thing as below so I was on the same tracks
> > > just not
> > > quite as efficient :-)
> > >
> > > Chris
> > >
> > > Incorporating what Bastien said:
> > >
> > > $badWordsArray =3D array("these" ,"are", "bad", "words");
> > > foreach($_POST
> > > as
> > > $key =3D> $value){
> > > if( in_array($value, $badWordsArray) ){
> > > //$value was found in $badWordsArray
> > > }
> > > }
> > >
> > > http://us2.php.net/in_array
> > >
> > > -----Original Message-----
> > > From: Chris Payne [mailto:cjp@planetoxygene.com]
> > > Sent: Thursday, March 09, 2006 8:40 PM
> > > To: php-db@lists.php.net
> > > Subject: RE: [PHP-DB] Database abuse help needed
> > >
> > > Thank you for that. And excuse the inexperience, but how would I
> > > use
> > > an
> > > Array with the below? I mean say I had words such as
> > > this,is,a,bad,word
> > > (Just as examples as I can't post what I'm trying to block on here)
> > > how
> > > would I loop through those to check if any of them exist and if they
> > > do THEN
> > > execute the error script? I'm not too good with Arrays - but I'm
> > > learning.
> > >
> > > Thank you
> > >
> > > Chris
> > >
> > > If you POST from your form use $_POST, or $_GET for a form GET
> > >
> > > foreach($_POST as $key =3D> $value){
> > > if( strpos($value, $findme) !== false ){
> > > //$findme was found in $value
> > > }
> > > }
> > >
> > > http://php.net/manual/en/reserved.variables.php
> > > http://us2.php.net/manual/en/control-structures.foreach.php
> > > http://us2.php.net/strpos Yes, that's !== or ===3D
> > >
> > > -----Original Message-----
> > > From: Chris Payne [mailto:chris@artistwd.com]
> > > Sent: Thursday, March 09, 2006 5:21 PM
> > > To: php-db@lists.php.net
> > > Subject: [PHP-DB] Database abuse help needed
> > >
> > > Hi there everyone,
> > >
> > > Is there a better way I can do this?
> > >
> > > if ($email == "mur@mail.ru" OR $subject == "Rulez666"
> > >
> > > Basically, if I have data coming from a form to a DB, is there a
> > > better way
> > > to say check EVERY variable for a specific set of words rather than
> > > doing
> > > $name, $subject etc .... seperately?
> > >
> > > The reason I ask is my scripts are being exploited and I can fix it
> > > when the
> > > attacks happen, but i'd like to be able to have a string which
> > > checks
> > > all
> > > the form data and takes action if a word I define in a list exists.
> > >
> > > So, instead of doing if ($name == " mememe " ...... if($email =3D=
=3D "
> > > Rulez666@whatever.com " ....... I could just have a simple statement
> > > with a
> > > group of words, and if one of the words appears it takes an action I
> > > specify
> > > such as do not proceed to add to DB etc ....
> > >
> > > Any help would be greatly appreciated as I am tired of keep writing
> > > the same
> > > scripts with different variables, i'd love to just grab all the
> > > variables
> > > from the form and perform the action ONCE on the incoming form data
> > > and then
> > > all the variables are affected instead of doing each one.
> > >
> > > Please save me from going nuts :-)
> > >
> > > Chris
> > >
> > > --
> > >
> > >
> > > --
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > 3/9/2006
> > >
> > > --
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/) To unsubscribe,
> > > visit:
> > > http://www.php.net/unsub.php
> > >
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > 3/9/2006
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > > 7/03/2006
> > >
> > >
> >
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> > 10/03/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 12.03.2006 12:06:50 von Julien Bonastre
Oh quite right, quite right
I will never put my word down in stone and say that a particular
rule/pattern or for that matter, anything I say, can be held to 100%
certainty
Who can? Ha
You are quite right Ludvig, we can only work with what we are given. I
merely attempt to "imagine" all the possibilities. Some people strive to
create them.
Its a delicate balance but at what point do we draw the line at
automatted user input verification and simply using actual human
verification methods?
A computer will have a much more difficult time recognising a word which
we read as slang but has been creatively disguised by a fellow human
brain, there is no doubt there.
I only merely tried to slightly improve his filtering regex pattern. Its
never going to be perfect, but its an workable example.
Anyway, tata!
---oOo--- Allowing users to execute CGI scripts in any directory should
only be considered if: ... a.. You have no users, and nobody ever visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@the-spectrum.org
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Ludvig Ericson"
To: "Julien Bonastre"
Cc:
Sent: Sunday, March 12, 2006 11:31 AM
Subject: Re: [PHP-DB] Database abuse help needed
Well, no matter how long you spend on coding a regex - no sane one
would capture all misspellings possible. It's impossible. Think of
these: fukc, fucck, f uck, fu ck, fuc k, f ukc, fu kc, fuk c, fu kk,
fawk, faak, fak, etc.
There are quite a lot
A not too sober Ludvig.
On 3/12/06, Julien Bonastre wrote:
> Yes.. elitism ;-)
>
> That is I....
>
> The indentation, yes, formatting of emails across different clients
> will
> always be an issue. Regardless though, and thankfully, my code was
> only
> a few one liners, whereby the indentation didn't play a huge role at
> all
> in representing statements and their conditional execution basis [as
> there wasn't one :p ]
>
> Next, my snippet was an example, as I'm certain I mentioned.
>
> A slightly modified regex could be:
>
> /(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i
>
>
> that would capture many more variations of these profanities and their
> common derivatives and suffixes..
>
>
>
> [aside]
> That I assume was where you were going with the "spelling" issue???
> [/end of aside]
>
>
> What is unpredictable by the way?
>
>
> You seem as though you are targetting the regex patterns themselves.
>
>
> Remember, there is no virtually no such thing as a "computer error",
> only humans that don't know how to use the computers.
>
>
> if a regex behaves differently that what you expected, there is beyond
> a
> 99.9999% certainty that it is due to not having formulated the regex
> correctly.
>
>
> There have been many a times when even I, yes, Supreme Commander of
> the
> entire known and even undiscovered Universe, have forged together a
> pattern, ran it, achieved desired results, then realised later down
> the
> track a certain word/condition it wasn't matching... Generally this
> is
> due to overlooking some small condition in the pattern or a particular
> situation you hadn't thought of.
>
>
> For example in the above regex I give I didn't rule out strings like:
> "F|_|CK"
> "F\_/CK"
> "D|CK"
> "W/\NK"
>
> which do look like the word I want to ensure doesn't exist on the
> site,
>
> Catch is? before I run this regex I also ensure the string firstly
> only
> contains the following char classes: /[a-z0-9_-]/i
>
> There we go..
>
>
>
> Anyway, pick me more, please I love it!!!
>
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory
> should
> only be considered if: ... a.. You have no users, and nobody ever
> visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Ludvig Ericson"
> To: "Julien Bonastre"
> Cc: "Chris Payne" ;
> Sent: Sunday, March 12, 2006 12:18 AM
> Subject: Re: [PHP-DB] Database abuse help needed
>
>
> Erm, dude, chill out with the elitism.
> I think there's more then 2% knowing about regexes, and more then 5%
> of those 2% that can write "oh-so-complex regular expressions"
>
> (Either GMail mangled the indentation or you need help with that part,
> by the way >_>)
>
> Oh and you complain about it not catching spelling mistakes? Yours
> doesn't either - want to know why? Because they're so unpredictable.
>
> Cheers, toxik
>
> On 3/11/06, Julien Bonastre wrote:
> > Well this is cute, really it is.
> >
> >
> > Kudos to all the in_array ideas and so forth
> >
> >
> > But really this is just an example.
> >
> > In reality this wouldn't work how you've planned.
> >
> >
> > For example take this quite realistic possibility.
> >
> > Lets assume the word "bad" is in your array of bad words
> >
> >
> > Now for realistic reasons I will tell you now that the word "bad" I
> > am
> > going to use as the word we all know exists as a derogatory slang
> > form
> > of human reproduction or cursing [its starts with an F in case you
> > haven't figured it out yet, four letters, ends in K, got it yet? ]
> >
> > Now as we know this "bad" word can be written many ways, remember, I
> > won't use real word, just our safe-substitute:
> > bad, bader, bading, baden, badhead, badwit, badoff, baded,
> >
> > and there maybe many more I can't think of....
> >
> > Point being? unless you do something more exotic than a precise word
> > match then it won't get these suffixed versions, or even altered
> > spelling versions.
> >
> >
> > Now the next even larger problem?
> >
> > This in_array thing? Its cute, but if you have more than one word in
> > any
> > of your POST variables [which would be pretty safe to assume unless
> > you
> > have a bad habit of sending those one word subject, one word
> > content,
> > one word sender types of emails]
> > then it won't work either
> >
> >
> > If this is passed as say $_POST["name"]="You are a bad head!"
> >
> > your little snippet here will try to match "You are a bad head" to
> > singular words such as ["this" "is" "a" "bad" "word"]
> >
> > What you need is to break up each word in your string, then do some
> > form
> > of processing ;-)
> >
> >
> >
> >
> >
> > Ok ok, so you want the secrets now don't you??
> >
> > Ok try signing up at these sites with names like: root, radix,
> > admin,
> > or
> > some common profanity, which is located anywhere in the username,
> > alias,
> > etc:
> > http://www.befitcommunity.com
> > www.the-spectrum.org
> >
> > Exactly..
> >
> > Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> > expressions
> >
> >
> > OH SUPRISE SUPRISE, maybe they were invented for a purpose???
> >
> >
> > Its ok, nevermind, its a personal joke of mine on this list, it
> > seems
> > 2%
> > of the PHP dev population is aware of what a regular expression is,
> > and
> > only 5% of those 2% know how to write a functioning OH SO difficult
> > expression pattern..
> >
> >
> >
> > Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE
> > 0
> > text books to master how to handle myself with a regular expression
> > parser]:
> >
> > $SYSTEM["REX_FILTER"]=Array();
> > $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+ $/i";
> > $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
> > //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\- \ ]+|[a-zA-Z\_\-\
> > ]+[0-9]+).*[0-9]*$/i";
> > $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!Çüéâäàåçêëè ïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> > $SYSTEM["REX_FILTER"]["email"]="/^[a-z\_0-9\.]+@[A-Za-z0-9\- ]+\.[A-Za-z0-9\-]{2,}/i";
> > $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòû ùÿÖÜ¢£¥]+$/i";
> > $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master |root)|root|forum|profile|preview|befit/i";
> > $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wank er|dick([^
> > ]*(head|suck|lick)))/i";
> >
> > if(strlen($_POST["user_name"])<5 or
> > strlen($_POST["user_name"])>32)
> > $errarr[]=$owner."user name must be between 5 and 32 characters
> > [inclusive]";
> >
> >
> > elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_name"]))
> > $errarr[]=$owner."user name must start with at least 2 alphabetical
> > characters and must be followed by only alphanumerical characters
> > and/or
> > the following characters: - (hyphen) _ (underscore) \" \" (space)";
> >
> >
> > elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["user_name"]))
> > $errarr[]=$owner."user name contains reserved or system words";
> >
> >
> > elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_name"]))
> > $errarr[]=$owner."user name contains \"inappropriate\" or
> > \"offensive\"
> > words";
> >
> >
> >
> > Ok so first that from two far and distant libraries on my site,
> > first
> > part with Array definition is contained in a global core variable
> > definition library I have...
> >
> >
> > its basically just there to define the chosen patterns I've chosen
> > to
> > use for particular different fields. Easy enough?
> >
> >
> > Then I have the second part, which uses the PCRE [perl compat reg
> > exp]
> > handler functions of PHP to attempt matching my patterns to the
> > given
> > inputs from user.
> >
> >
> > Easy right???
> >
> >
> > Too easy, and extremely fast and effective...
> >
> >
> >
> > Feel free to pick me apart though, I'd love to hear all the negative
> > things people have to say about regular expressions.
> >
> > They are like cars I find, everyone bitches about how expensive they
> > are
> > to run, but wouldn't we be BADed without them!?!?!?
> >
> >
> > ---oOo--- Allowing users to execute CGI scripts in any directory
> > should
> > only be considered if: ... a.. You have no users, and nobody ever
> > visits
> > your server. ... Extracted Quote: Security Tips - Apache HTTP
> > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> > julien@the-spectrum.org
> > www.the-spectrum.org ------oOo---------------oOo------
> > ----- Original Message -----
> > From: "Chris Payne"
> > To:
> > Sent: Saturday, March 11, 2006 2:53 AM
> > Subject: RE: [PHP-DB] Database abuse help needed
> >
> >
> > > Ahhh thank you everyone,
> > >
> > > I came up with the same solution - kind of, but I used about 5
> > > more
> > > lines of
> > > code to achieve the same thing as below so I was on the same
> > > tracks
> > > just not
> > > quite as efficient :-)
> > >
> > > Chris
> > >
> > > Incorporating what Bastien said:
> > >
> > > $badWordsArray = array("these" ,"are", "bad", "words");
> > > foreach($_POST
> > > as
> > > $key => $value){
> > > if( in_array($value, $badWordsArray) ){
> > > //$value was found in $badWordsArray
> > > }
> > > }
> > >
> > > http://us2.php.net/in_array
> > >
> > > -----Original Message-----
> > > From: Chris Payne [mailto:cjp@planetoxygene.com]
> > > Sent: Thursday, March 09, 2006 8:40 PM
> > > To: php-db@lists.php.net
> > > Subject: RE: [PHP-DB] Database abuse help needed
> > >
> > > Thank you for that. And excuse the inexperience, but how would I
> > > use
> > > an
> > > Array with the below? I mean say I had words such as
> > > this,is,a,bad,word
> > > (Just as examples as I can't post what I'm trying to block on
> > > here)
> > > how
> > > would I loop through those to check if any of them exist and if
> > > they
> > > do THEN
> > > execute the error script? I'm not too good with Arrays - but I'm
> > > learning.
> > >
> > > Thank you
> > >
> > > Chris
> > >
> > > If you POST from your form use $_POST, or $_GET for a form GET
> > >
> > > foreach($_POST as $key => $value){
> > > if( strpos($value, $findme) !== false ){
> > > //$findme was found in $value
> > > }
> > > }
> > >
> > > http://php.net/manual/en/reserved.variables.php
> > > http://us2.php.net/manual/en/control-structures.foreach.php
> > > http://us2.php.net/strpos Yes, that's !== or ===
> > >
> > > -----Original Message-----
> > > From: Chris Payne [mailto:chris@artistwd.com]
> > > Sent: Thursday, March 09, 2006 5:21 PM
> > > To: php-db@lists.php.net
> > > Subject: [PHP-DB] Database abuse help needed
> > >
> > > Hi there everyone,
> > >
> > > Is there a better way I can do this?
> > >
> > > if ($email == "mur@mail.ru" OR $subject == "Rulez666"
> > >
> > > Basically, if I have data coming from a form to a DB, is there a
> > > better way
> > > to say check EVERY variable for a specific set of words rather
> > > than
> > > doing
> > > $name, $subject etc .... seperately?
> > >
> > > The reason I ask is my scripts are being exploited and I can fix
> > > it
> > > when the
> > > attacks happen, but i'd like to be able to have a string which
> > > checks
> > > all
> > > the form data and takes action if a word I define in a list
> > > exists.
> > >
> > > So, instead of doing if ($name == " mememe " ...... if($email == "
> > > Rulez666@whatever.com " ....... I could just have a simple
> > > statement
> > > with a
> > > group of words, and if one of the words appears it takes an action
> > > I
> > > specify
> > > such as do not proceed to add to DB etc ....
> > >
> > > Any help would be greatly appreciated as I am tired of keep
> > > writing
> > > the same
> > > scripts with different variables, i'd love to just grab all the
> > > variables
> > > from the form and perform the action ONCE on the incoming form
> > > data
> > > and then
> > > all the variables are affected instead of doing each one.
> > >
> > > Please save me from going nuts :-)
> > >
> > > Chris
> > >
> > > --
> > >
> > >
> > > --
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > 3/9/2006
> > >
> > > --
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/) To unsubscribe,
> > > visit:
> > > http://www.php.net/unsub.php
> > >
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > 3/9/2006
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > > 7/03/2006
> > >
> > >
> >
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> > 10/03/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
10/03/2006
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 12.03.2006 14:21:40 von Ludvig Ericson
No, I agree, for this matter you can never create a regular expression
well written enough to match all or even most of the lingo we use.
I've been thinking about that though, you could theoretically make the
computer create sound-comparision between two words, like the
soundex() function was made to do (but it isn't that exact so)
On 3/12/06, Julien Bonastre wrote:
> Oh quite right, quite right
>
> I will never put my word down in stone and say that a particular
> rule/pattern or for that matter, anything I say, can be held to 100%
> certainty
>
> Who can? Ha
>
>
> You are quite right Ludvig, we can only work with what we are given. I
> merely attempt to "imagine" all the possibilities. Some people strive to
> create them.
>
> Its a delicate balance but at what point do we draw the line at
> automatted user input verification and simply using actual human
> verification methods?
>
>
> A computer will have a much more difficult time recognising a word which
> we read as slang but has been creatively disguised by a fellow human
> brain, there is no doubt there.
>
>
> I only merely tried to slightly improve his filtering regex pattern. Its
> never going to be perfect, but its an workable example.
>
>
>
>
> Anyway, tata!
>
> ---oOo--- Allowing users to execute CGI scripts in any directory should
> only be considered if: ... a.. You have no users, and nobody ever visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Ludvig Ericson"
> To: "Julien Bonastre"
> Cc:
> Sent: Sunday, March 12, 2006 11:31 AM
> Subject: Re: [PHP-DB] Database abuse help needed
>
>
> Well, no matter how long you spend on coding a regex - no sane one
> would capture all misspellings possible. It's impossible. Think of
> these: fukc, fucck, f uck, fu ck, fuc k, f ukc, fu kc, fuk c, fu kk,
> fawk, faak, fak, etc.
>
> There are quite a lot
>
> A not too sober Ludvig.
>
> On 3/12/06, Julien Bonastre wrote:
> > Yes.. elitism ;-)
> >
> > That is I....
> >
> > The indentation, yes, formatting of emails across different clients
> > will
> > always be an issue. Regardless though, and thankfully, my code was
> > only
> > a few one liners, whereby the indentation didn't play a huge role at
> > all
> > in representing statements and their conditional execution basis [as
> > there wasn't one :p ]
> >
> > Next, my snippet was an example, as I'm certain I mentioned.
> >
> > A slightly modified regex could be:
> >
> > /(fuc?k|dic?k|wank)(e(r|d|n)|hea?d|wit|ing?)?/i
> >
> >
> > that would capture many more variations of these profanities and their
> > common derivatives and suffixes..
> >
> >
> >
> > [aside]
> > That I assume was where you were going with the "spelling" issue???
> > [/end of aside]
> >
> >
> > What is unpredictable by the way?
> >
> >
> > You seem as though you are targetting the regex patterns themselves.
> >
> >
> > Remember, there is no virtually no such thing as a "computer error",
> > only humans that don't know how to use the computers.
> >
> >
> > if a regex behaves differently that what you expected, there is beyond
> > a
> > 99.9999% certainty that it is due to not having formulated the regex
> > correctly.
> >
> >
> > There have been many a times when even I, yes, Supreme Commander of
> > the
> > entire known and even undiscovered Universe, have forged together a
> > pattern, ran it, achieved desired results, then realised later down
> > the
> > track a certain word/condition it wasn't matching... Generally this
> > is
> > due to overlooking some small condition in the pattern or a particular
> > situation you hadn't thought of.
> >
> >
> > For example in the above regex I give I didn't rule out strings like:
> > "F|_|CK"
> > "F\_/CK"
> > "D|CK"
> > "W/\NK"
> >
> > which do look like the word I want to ensure doesn't exist on the
> > site,
> >
> > Catch is? before I run this regex I also ensure the string firstly
> > only
> > contains the following char classes: /[a-z0-9_-]/i
> >
> > There we go..
> >
> >
> >
> > Anyway, pick me more, please I love it!!!
> >
> >
> >
> > ---oOo--- Allowing users to execute CGI scripts in any directory
> > should
> > only be considered if: ... a.. You have no users, and nobody ever
> > visits
> > your server. ... Extracted Quote: Security Tips - Apache HTTP
> > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> > julien@the-spectrum.org
> > www.the-spectrum.org ------oOo---------------oOo------
> > ----- Original Message -----
> > From: "Ludvig Ericson"
> > To: "Julien Bonastre"
> > Cc: "Chris Payne" ;
> > Sent: Sunday, March 12, 2006 12:18 AM
> > Subject: Re: [PHP-DB] Database abuse help needed
> >
> >
> > Erm, dude, chill out with the elitism.
> > I think there's more then 2% knowing about regexes, and more then 5%
> > of those 2% that can write "oh-so-complex regular expressions"
> >
> > (Either GMail mangled the indentation or you need help with that part,
> > by the way >_>)
> >
> > Oh and you complain about it not catching spelling mistakes? Yours
> > doesn't either - want to know why? Because they're so unpredictable.
> >
> > Cheers, toxik
> >
> > On 3/11/06, Julien Bonastre wrote:
> > > Well this is cute, really it is.
> > >
> > >
> > > Kudos to all the in_array ideas and so forth
> > >
> > >
> > > But really this is just an example.
> > >
> > > In reality this wouldn't work how you've planned.
> > >
> > >
> > > For example take this quite realistic possibility.
> > >
> > > Lets assume the word "bad" is in your array of bad words
> > >
> > >
> > > Now for realistic reasons I will tell you now that the word "bad" I
> > > am
> > > going to use as the word we all know exists as a derogatory slang
> > > form
> > > of human reproduction or cursing [its starts with an F in case you
> > > haven't figured it out yet, four letters, ends in K, got it yet? ]
> > >
> > > Now as we know this "bad" word can be written many ways, remember, I
> > > won't use real word, just our safe-substitute:
> > > bad, bader, bading, baden, badhead, badwit, badoff, baded,
> > >
> > > and there maybe many more I can't think of....
> > >
> > > Point being? unless you do something more exotic than a precise word
> > > match then it won't get these suffixed versions, or even altered
> > > spelling versions.
> > >
> > >
> > > Now the next even larger problem?
> > >
> > > This in_array thing? Its cute, but if you have more than one word in
> > > any
> > > of your POST variables [which would be pretty safe to assume unless
> > > you
> > > have a bad habit of sending those one word subject, one word
> > > content,
> > > one word sender types of emails]
> > > then it won't work either
> > >
> > >
> > > If this is passed as say $_POST["name"]=3D"You are a bad head!"
> > >
> > > your little snippet here will try to match "You are a bad head" to
> > > singular words such as ["this" "is" "a" "bad" "word"]
> > >
> > > What you need is to break up each word in your string, then do some
> > > form
> > > of processing ;-)
> > >
> > >
> > >
> > >
> > >
> > > Ok ok, so you want the secrets now don't you??
> > >
> > > Ok try signing up at these sites with names like: root, radix,
> > > admin,
> > > or
> > > some common profanity, which is located anywhere in the username,
> > > alias,
> > > etc:
> > > http://www.befitcommunity.com
> > > www.the-spectrum.org
> > >
> > > Exactly..
> > >
> > > Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> > > expressions
> > >
> > >
> > > OH SUPRISE SUPRISE, maybe they were invented for a purpose???
> > >
> > >
> > > Its ok, nevermind, its a personal joke of mine on this list, it
> > > seems
> > > 2%
> > > of the PHP dev population is aware of what a regular expression is,
> > > and
> > > only 5% of those 2% know how to write a functioning OH SO difficult
> > > expression pattern..
> > >
> > >
> > >
> > > Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE
> > > 0
> > > text books to master how to handle myself with a regular expression
> > > parser]:
> > >
> > > $SYSTEM["REX_FILTER"]=3DArray();
> > > $SYSTEM["REX_FILTER"]["user_name"]=3D"/^[a-z]{2,}[a-z0-9\_\- ]+$/i";
> > > $SYSTEM["REX_FILTER"]["password"]=3D"/^[a-z0-9\_\-\ \!\.]+$/i";
> > > //$SYSTEM["REX_FILTER"]["password_chk"]=3D"/([0-9]+[a-zA-Z\_ \-\ ]+|[a=
-zA-Z\_\-\
> > > ]+[0-9]+).*[0-9]*$/i";
> > > $SYSTEM["REX_FILTER"]["alias"]=3D"/^[a-z0-9\.\_\-\!Çü=E9 âä=E0=
åçêëèïîìÄÅÉæÆôöòûùÿÖ Ü¢£¥]+$=
/i";
> > > $SYSTEM["REX_FILTER"]["email"]=3D"/^[a-z\_0-9\.]+@[A-Za-z0-9 \-]+\.[A-=
Za-z0-9\-]{2,}/i";
> > > $SYSTEM["REX_FILTER"]["name"]=3D"/^[a-zÇüéâäà=E5 çê=EB=
èïîìÄÅÉæÆôöòûùÿÖÜ¢£¥ ]+$/i";
> > > $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]=3D"/admin|web.+(mast er|root)|=
root|forum|profile|preview|befit/i";
> > > $SYSTEM["REX_FILTER"]["BANNED_WORDS"]=3D"/(fuck|cunt|shit|wa nker|dick=
([^
> > > ]*(head|suck|lick)))/i";
> > >
> > > if(strlen($_POST["user_name"])<5 or
> > > strlen($_POST["user_name"])>32)
> > > $errarr[]=3D$owner."user name must be between 5 and 32 characters
> > > [inclusive]";
> > >
> > >
> > > elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST ["user_na=
me"]))
> > > $errarr[]=3D$owner."user name must start with at least 2 alphabetical
> > > characters and must be followed by only alphanumerical characters
> > > and/or
> > > the following characters: - (hyphen) _ (underscore) \" \" (space)";
> > >
> > >
> > > elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_ POST["use=
r_name"]))
> > > $errarr[]=3D$owner."user name contains reserved or system words";
> > >
> > >
> > > elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_PO ST["user_=
name"]))
> > > $errarr[]=3D$owner."user name contains \"inappropriate\" or
> > > \"offensive\"
> > > words";
> > >
> > >
> > >
> > > Ok so first that from two far and distant libraries on my site,
> > > first
> > > part with Array definition is contained in a global core variable
> > > definition library I have...
> > >
> > >
> > > its basically just there to define the chosen patterns I've chosen
> > > to
> > > use for particular different fields. Easy enough?
> > >
> > >
> > > Then I have the second part, which uses the PCRE [perl compat reg
> > > exp]
> > > handler functions of PHP to attempt matching my patterns to the
> > > given
> > > inputs from user.
> > >
> > >
> > > Easy right???
> > >
> > >
> > > Too easy, and extremely fast and effective...
> > >
> > >
> > >
> > > Feel free to pick me apart though, I'd love to hear all the negative
> > > things people have to say about regular expressions.
> > >
> > > They are like cars I find, everyone bitches about how expensive they
> > > are
> > > to run, but wouldn't we be BADed without them!?!?!?
> > >
> > >
> > > ---oOo--- Allowing users to execute CGI scripts in any directory
> > > should
> > > only be considered if: ... a.. You have no users, and nobody ever
> > > visits
> > > your server. ... Extracted Quote: Security Tips - Apache HTTP
> > > Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> > > [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> > > julien@the-spectrum.org
> > > www.the-spectrum.org ------oOo---------------oOo------
> > > ----- Original Message -----
> > > From: "Chris Payne"
> > > To:
> > > Sent: Saturday, March 11, 2006 2:53 AM
> > > Subject: RE: [PHP-DB] Database abuse help needed
> > >
> > >
> > > > Ahhh thank you everyone,
> > > >
> > > > I came up with the same solution - kind of, but I used about 5
> > > > more
> > > > lines of
> > > > code to achieve the same thing as below so I was on the same
> > > > tracks
> > > > just not
> > > > quite as efficient :-)
> > > >
> > > > Chris
> > > >
> > > > Incorporating what Bastien said:
> > > >
> > > > $badWordsArray =3D array("these" ,"are", "bad", "words");
> > > > foreach($_POST
> > > > as
> > > > $key =3D> $value){
> > > > if( in_array($value, $badWordsArray) ){
> > > > //$value was found in $badWordsArray
> > > > }
> > > > }
> > > >
> > > > http://us2.php.net/in_array
> > > >
> > > > -----Original Message-----
> > > > From: Chris Payne [mailto:cjp@planetoxygene.com]
> > > > Sent: Thursday, March 09, 2006 8:40 PM
> > > > To: php-db@lists.php.net
> > > > Subject: RE: [PHP-DB] Database abuse help needed
> > > >
> > > > Thank you for that. And excuse the inexperience, but how would I
> > > > use
> > > > an
> > > > Array with the below? I mean say I had words such as
> > > > this,is,a,bad,word
> > > > (Just as examples as I can't post what I'm trying to block on
> > > > here)
> > > > how
> > > > would I loop through those to check if any of them exist and if
> > > > they
> > > > do THEN
> > > > execute the error script? I'm not too good with Arrays - but I'm
> > > > learning.
> > > >
> > > > Thank you
> > > >
> > > > Chris
> > > >
> > > > If you POST from your form use $_POST, or $_GET for a form GET
> > > >
> > > > foreach($_POST as $key =3D> $value){
> > > > if( strpos($value, $findme) !== false ){
> > > > //$findme was found in $value
> > > > }
> > > > }
> > > >
> > > > http://php.net/manual/en/reserved.variables.php
> > > > http://us2.php.net/manual/en/control-structures.foreach.php
> > > > http://us2.php.net/strpos Yes, that's !== or ===3D
> > > >
> > > > -----Original Message-----
> > > > From: Chris Payne [mailto:chris@artistwd.com]
> > > > Sent: Thursday, March 09, 2006 5:21 PM
> > > > To: php-db@lists.php.net
> > > > Subject: [PHP-DB] Database abuse help needed
> > > >
> > > > Hi there everyone,
> > > >
> > > > Is there a better way I can do this?
> > > >
> > > > if ($email == "mur@mail.ru" OR $subject == "Rulez666"
> > > >
> > > > Basically, if I have data coming from a form to a DB, is there a
> > > > better way
> > > > to say check EVERY variable for a specific set of words rather
> > > > than
> > > > doing
> > > > $name, $subject etc .... seperately?
> > > >
> > > > The reason I ask is my scripts are being exploited and I can fix
> > > > it
> > > > when the
> > > > attacks happen, but i'd like to be able to have a string which
> > > > checks
> > > > all
> > > > the form data and takes action if a word I define in a list
> > > > exists.
> > > >
> > > > So, instead of doing if ($name == " mememe " ...... if($email =
== "
> > > > Rulez666@whatever.com " ....... I could just have a simple
> > > > statement
> > > > with a
> > > > group of words, and if one of the words appears it takes an action
> > > > I
> > > > specify
> > > > such as do not proceed to add to DB etc ....
> > > >
> > > > Any help would be greatly appreciated as I am tired of keep
> > > > writing
> > > > the same
> > > > scripts with different variables, i'd love to just grab all the
> > > > variables
> > > > from the form and perform the action ONCE on the incoming form
> > > > data
> > > > and then
> > > > all the variables are affected instead of doing each one.
> > > >
> > > > Please save me from going nuts :-)
> > > >
> > > > Chris
> > > >
> > > > --
> > > >
> > > >
> > > > --
> > > >
> > > > No virus found in this incoming message.
> > > > Checked by AVG Free Edition.
> > > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > > 3/9/2006
> > > >
> > > > --
> > > >
> > > > --
> > > > PHP Database Mailing List (http://www.php.net/) To unsubscribe,
> > > > visit:
> > > > http://www.php.net/unsub.php
> > > >
> > > >
> > > > --
> > > > No virus found in this incoming message.
> > > > Checked by AVG Free Edition.
> > > > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > > > 3/9/2006
> > > >
> > > > --
> > > > PHP Database Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > > >
> > > >
> > > >
> > > > --
> > > > No virus found in this incoming message.
> > > > Checked by AVG Anti-Virus.
> > > > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > > > 7/03/2006
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > No virus found in this outgoing message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> > > 10/03/2006
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> > 10/03/2006
> >
> >
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> > 10/03/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date:
> 10/03/2006
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Database abuse help needed
am 13.03.2006 20:58:59 von Dfinner
No, I agree, for this matter you can never create a regular expression
well written enough to match all or even most of the lingo we use.
==================== =====3D=
================
Been off the list for a couple of days and just stumbled across this
thread. =20
Our company uses some kind of 'nicey-nice gotta have a non-threatening
work environment' filter and I've had a couple of emails (somebody had a
post with the 'S' word written out in it's ugly full self, shame -
shame...) rejected because of the inclusion of 'FORBIDDEN WORDS'(tm).
Interestingly, this thread full of F|_|CKs and D1CKH3EDs made it through
totally unscathed. Spam containing ads for all known s3xual enhancement
products are delivered to my doorstop every day.
Kinda makes the point that you'll never trap even a fraction of the
offensive content given the immense creativity of the human mind.
Doug
____________________________________________________________ ___________
This e-mail message has been sent by Kollsman, Inc. and is for the use
of the intended recipients only. The message may contain privileged
or confidential information. If you are not the intended recipient
you are hereby notified that any use, distribution or copying of
this communication is strictly prohibited, and you are requested to
delete the e-mail and any attachments and notify the sender immediately.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Database abuse help needed
am 13.03.2006 22:14:28 von Ludvig Ericson
Another fine thing about this is the fact that you can use unicode
characters as an alternative which the regular expression engine
probably wont match, unless it's somehow tweaked. This is the same
theory as in when you are doing phising, for say ebay.com and replace
the a with one of them non-ASCII letters, providing a link so that you
won't have to type it. Only the other way around.
It is a problem we have with information - it's hard to analyze the
human communication essence (not the right word - duh I'm not a
native)
On 3/13/06, Finner, Doug wrote:
> No, I agree, for this matter you can never create a regular expression
> well written enough to match all or even most of the lingo we use.
> ==================== =====
=================3D
> Been off the list for a couple of days and just stumbled across this
> thread.
>
> Our company uses some kind of 'nicey-nice gotta have a non-threatening
> work environment' filter and I've had a couple of emails (somebody had a
> post with the 'S' word written out in it's ugly full self, shame -
> shame...) rejected because of the inclusion of 'FORBIDDEN WORDS'(tm).
> Interestingly, this thread full of F|_|CKs and D1CKH3EDs made it through
> totally unscathed. Spam containing ads for all known s3xual enhancement
> products are delivered to my doorstop every day.
>
> Kinda makes the point that you'll never trap even a fraction of the
> offensive content given the immense creativity of the human mind.
>
> Doug
>
> ____________________________________________________________ ___________
> This e-mail message has been sent by Kollsman, Inc. and is for the use
> of the intended recipients only. The message may contain privileged
> or confidential information. If you are not the intended recipient
> you are hereby notified that any use, distribution or copying of
> this communication is strictly prohibited, and you are requested to
> delete the e-mail and any attachments and notify the sender immediately.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php