Erm, dude, chill out with the elitism.
I think there's more then 2% knowing about regexes, and more then 5%
of those 2% that can write "oh-so-complex regular expressions"

(Either GMail mangled the indentation or you need help with that part,
by the way >_>)

Oh and you complain about it not catching spelling mistakes? Yours
doesn't either - want to know why? Because they're so unpredictable.

Cheers, toxik

On 3/11/06, Julien Bonastre <[EMAIL PROTECTED]> wrote:
> Well this is cute, really it is.
>
>
> Kudos to all the in_array ideas and so forth
>
>
> But really this is just an example.
>
> In reality this wouldn't work how you've planned.
>
>
> For example take this quite realistic possibility.
>
> Lets assume the word "bad" is in your array of bad words
>
>
> Now for realistic reasons I will tell you now that the word "bad" I am
> going to use as the word we all know exists as a derogatory slang form
> of human reproduction or cursing [its starts with an F in case you
> haven't figured it out yet, four letters, ends in K, got it yet? ]
>
> Now as we know this "bad" word can be written many ways, remember, I
> won't use real word, just our safe-substitute:
> bad, bader, bading, baden, badhead, badwit, badoff, baded,
>
> and there maybe many more I can't think of....
>
> Point being? unless you do something more exotic than a precise word
> match then it won't get these suffixed versions, or even altered
> spelling versions.
>
>
> Now the next even larger problem?
>
> This in_array thing? Its cute, but if you have more than one word in any
> of your POST variables [which would be pretty safe to assume unless you
> have a bad habit of sending those one word subject, one word content,
> one word sender types of emails]
> then it won't work either
>
>
> If this is passed as say $_POST["name"]="You are a bad head!"
>
> your little snippet here will try to match "You are a bad head" to
> singular words such as ["this" "is" "a" "bad" "word"]
>
> What you need is to break up each word in your string, then do some form
> of processing ;-)
>
>
>
>
>
> Ok ok, so you want the secrets now don't you??
>
> Ok try signing up at these sites with names like: root, radix, admin, or
> some common profanity, which is located anywhere in the username, alias,
> etc:
> http://www.befitcommunity.com
> www.the-spectrum.org
>
> Exactly..
>
> Now for my implementation I ONCE AGAIN "BAD"ING rely on my regular
> expressions
>
>
> OH SUPRISE SUPRISE, maybe they were invented for a purpose???
>
>
> Its ok, nevermind, its a personal joke of mine on this list, it seems 2%
> of the PHP dev population is aware of what a regular expression is, and
> only 5% of those 2% know how to write a functioning OH SO difficult
> expression pattern..
>
>
>
> Here's the code [brace yourself, its SOOOO advanced, took me a WHOLE 0
> text books to master how to handle myself with a regular expression
> parser]:
>
> $SYSTEM["REX_FILTER"]=Array();
> $SYSTEM["REX_FILTER"]["user_name"]="/^[a-z]{2,}[a-z0-9\_\-]+$/i";
> $SYSTEM["REX_FILTER"]["password"]="/^[a-z0-9\_\-\ \!\.]+$/i";
> //$SYSTEM["REX_FILTER"]["password_chk"]="/([0-9]+[a-zA-Z\_\-\ ]+|[a-zA-Z\_\-\
>  ]+[0-9]+).*[0-9]*$/i";
> $SYSTEM["REX_FILTER"]["alias"]="/^[a-z0-9\.\_\-\!ÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["email"]="/[EMAIL PROTECTED],}/i";
> $SYSTEM["REX_FILTER"]["name"]="/^[a-zÇüéâäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥]+$/i";
> $SYSTEM["REX_FILTER"]["RESERVED_WORDS"]="/admin|web.+(master|root)|root|forum|profile|preview|befit/i";
> $SYSTEM["REX_FILTER"]["BANNED_WORDS"]="/(fuck|cunt|shit|wanker|dick([^ 
> ]*(head|suck|lick)))/i";
>
>    if(strlen($_POST["user_name"])<5 or strlen($_POST["user_name"])>32)
> $errarr[]=$owner."user name must be between 5 and 32 characters
> [inclusive]";
>
>     
> elseif(!preg_match($SYSTEM["REX_FILTER"]["user_name"],$_POST["user_name"]))
> $errarr[]=$owner."user name must start with at least 2 alphabetical
> characters and must be followed by only alphanumerical characters and/or
> the following characters: - (hyphen) _ (underscore) \" \" (space)";
>
>     
> elseif(preg_match($SYSTEM["REX_FILTER"]["RESERVED_WORDS"],$_POST["user_name"]))
> $errarr[]=$owner."user name contains reserved or system words";
>
>     
> elseif(preg_match($SYSTEM["REX_FILTER"]["BANNED_WORDS"],$_POST["user_name"]))
> $errarr[]=$owner."user name contains \"inappropriate\" or \"offensive\"
> words";
>
>
>
> Ok so first that from two far and distant libraries on my site, first
> part with Array definition is contained in a global core variable
> definition library I have...
>
>
> its basically just there to define the chosen patterns I've chosen to
> use for particular different fields. Easy enough?
>
>
> Then I have the second part, which uses the PCRE [perl compat reg exp]
> handler functions of PHP to attempt matching my patterns to the given
> inputs from user.
>
>
> Easy right???
>
>
> Too easy, and extremely fast and effective...
>
>
>
> Feel free to pick me apart though, I'd love to hear all the negative
> things people have to say about regular expressions.
>
> They are like cars I find, everyone bitches about how expensive they are
> to run, but wouldn't we be BADed without them!?!?!?
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory should
> only be considered if: ... a.. You have no users, and nobody ever visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> [EMAIL PROTECTED]
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Chris Payne" <[EMAIL PROTECTED]>
> To: <php-db@lists.php.net>
> Sent: Saturday, March 11, 2006 2:53 AM
> Subject: RE: [PHP-DB] Database abuse help needed
>
>
> > Ahhh thank you everyone,
> >
> > I came up with the same solution - kind of, but I used about 5 more
> > lines of
> > code to achieve the same thing as below so I was on the same tracks
> > just not
> > quite as efficient :-)
> >
> > Chris
> >
> > Incorporating what Bastien said:
> >
> > $badWordsArray = array("these" ,"are", "bad", "words"); foreach($_POST
> > as
> > $key => $value){
> > if( in_array($value, $badWordsArray) ){
> > //$value was found in $badWordsArray
> > }
> > }
> >
> > http://us2.php.net/in_array
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, March 09, 2006 8:40 PM
> > To: php-db@lists.php.net
> > Subject: RE: [PHP-DB] Database abuse help needed
> >
> > Thank you for that.  And excuse the inexperience, but how would I use
> > an
> > Array with the below?  I mean say I had words such as
> > this,is,a,bad,word
> > (Just as examples as I can't post what I'm trying to block on here)
> > how
> > would I loop through those to check if any of them exist and if they
> > do THEN
> > execute the error script?  I'm not too good with Arrays - but I'm
> > learning.
> >
> > Thank you
> >
> > Chris
> >
> > If you POST from your form use $_POST, or $_GET for a form GET
> >
> > foreach($_POST as $key => $value){
> > if( strpos($value, $findme) !== false ){
> > //$findme was found in $value
> > }
> > }
> >
> > http://php.net/manual/en/reserved.variables.php
> > http://us2.php.net/manual/en/control-structures.foreach.php
> > http://us2.php.net/strpos Yes, that's !== or ===
> >
> > -----Original Message-----
> > From: Chris Payne [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, March 09, 2006 5:21 PM
> > To: php-db@lists.php.net
> > Subject: [PHP-DB] Database abuse help needed
> >
> > Hi there everyone,
> >
> > Is there a better way I can do this?
> >
> > if ($email == "[EMAIL PROTECTED]" OR $subject == "Rulez666"
> >
> > Basically, if I have data coming from a form to a DB, is there a
> > better way
> > to say check EVERY variable for  a specific set of words rather than
> > doing
> > $name, $subject etc .... seperately?
> >
> > The reason I ask is my scripts are being exploited and I can fix it
> > when the
> > attacks happen, but i'd like to be able to have a string which  checks
> > all
> > the form data and takes action if a word I define in a list exists.
> >
> > So, instead of doing if ($name == " mememe " ...... if($email == "
> > [EMAIL PROTECTED] " ....... I could just have a simple statement
> > with a
> > group of words, and if one of the words appears it takes an action I
> > specify
> > such as do not proceed to add to DB etc ....
> >
> > Any help would be greatly appreciated as I am tired of keep writing
> > the same
> > scripts with different variables, i'd love to just grab all the
> > variables
> > from the form and perform the action ONCE on the incoming form data
> > and then
> > all the variables are affected instead of doing each one.
> >
> > Please save me from going nuts :-)
> >
> > Chris
> >
> > --
> >
> >
> > --
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> >
> > --
> > PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
> > http://www.php.net/unsub.php
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> > 3/9/2006
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date:
> > 7/03/2006
> >
> >
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.384 / Virus Database: 268.2.1/279 - Release Date: 10/03/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to