And doing a bit more, I find that '=' and '-' are passing through OK so I'll
need to train my users to use an alternative to '+'.
The choking seems to be with my parsing function, which I have pasted in
below:
=================================================
function sql_fltr($sql,$field,$input){
if(strlen($input)>0){
if( substr_count($input,"=")>0 | substr_count($input," -")>0 |
substr_count($input," +")>0 ){
$output = "";
$temp = str_replace(" -","|-",(str_replace("
-","|-",($input))));
$temp = explode("|",$temp);
for ($i = 0; $i <= sizeof($temp); $i++){
if (substr($temp[$i],0,1)=="*"){
$temp[$i] = $field." like
'".rtrim(str_replace("*","%",$temp[$i]))."%'";
$output.= $temp[$i]."|";
} elseif (substr($temp[$i],0,1)=="-"){
$temp[$i] = " and ".$field." not like
'".rtrim(str_replace("*","%",$temp[$i]))."'";
$output.= $temp[$i]."|";
} elseif (substr($temp[$i],0,1)=="="){
$temp[$i] = " and
".$field."='".rtrim(str_replace("=","",$temp[$i]))."'";
$output.= $temp[$i]."|";
} elseif (substr($temp[$i],0,1)!="+" &&
substr($temp[$i],0,1)!="-"&&substr($temp[$i],0,1)!="*" &&
substr($temp[$i],0,1)!="="){
$temp[$i] = "and ".$field." like
'%".rtrim(str_replace("=","",$temp[$i]))."'";
$output.= $temp[$i]."|";
} else {
$temp[$i] = "
".$field."='".rtrim($temp[$i])."'";
$output.= $temp[$i]."|";
}
}
$output = " AND ".substr($output,0,strlen($output)-1);
} else {
$temp = $input;
if (substr($temp,0,1)=="*"){
$temp = $field." like
'".rtrim(str_replace("*","%",$temp))."'";
} elseif (substr($temp,0,1)=="-"){
$temp = $field." not like
'".rtrim(str_replace("*","%",$temp))."'";
} elseif (substr($temp,0,1)=="="){
$temp =
$field."='".rtrim(str_replace("=","",$temp))."'";
} elseif (substr($temp,0,1)!="+" &&
substr($temp,0,1)!="-"&&substr($temp,0,1)!="*" && substr($temp,0,1)!="="){
$temp = $field." like
'%".rtrim(str_replace("=","",$temp))."'";
} else {
$temp = $field."='".rtrim($temp)."'";
}
$output = " AND ".$temp;
}
} else {
$output = "";
}
return $output;
}
=================================================
This works fine if the user has eneterd either no control or the * wildcared
with the criteria.
Any suggestions?
Cheers
George
> -----Original Message-----
> From: George Pitcher [mailto:[EMAIL PROTECTED]
> Sent: 20 May 2004 2:33 pm
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP-WIN] Passing +, =, - at post and get
>
>
> Charles,
>
> No way! This site will only have about 3-4 users as its an
> intranet and I'll
> be parsing everything at the server end.
>
> George
>
>
> > -----Original Message-----
> > From: Charles P. Killmer [mailto:[EMAIL PROTECTED]
> > Sent: 20 May 2004 2:31 pm
> > To: [EMAIL PROTECTED]
> > Subject: RE: [PHP-WIN] Passing +, =, - at post and get
> >
> >
> > I hope you are not allowing the client to send T-SQL through the query
> > string. Consider them sending something like
> > File.php?Query='; drop table XXX; --
> >
> > Charles Killmer
> >
> > -----Original Message-----
> > From: George Pitcher [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 20, 2004 8:25 AM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-WIN] Passing +, =, - at post and get
> >
> > Hi,
> >
> > I want to be able to pass the '=', '+' and '-' characters both from a
> > web form and as part of a url, to enable a better way of searching.
> > However, these characters are choking my IIS webserver and not getting
> > through to the script.
> >
> > Can anyone suggest a better way of achieving this?
> >
> > Cheers
> >
> > George
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit:
> > http://www.php.net/unsub.php
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
