Petsmacker

Thank you very much for your responses, I will definitely look further into your suggestions.

Hey there, I need to make it impossible for anyone to load up a PHP page on my site directly in their browser. It should only be allowed to be 'included' by PHP using the include() function. It also needs to be picked at by a few AJAX scripts. Is there a secure way of doing this without htaccess scripts? Such as CHMOD? Any help would be appreciated.

Fixed the problem, it was to simply remove the apostrophes and full stops around the variables. $replace_true = '<strong>PM to $1:</strong><div style="margin:0px 10px;overflow:auto;color:#000000;font-size:8pt;line-height:10pt;padding:5px;background-color:#FFFF99;border:3px solid #A6A6A6;width:93%;"><b>$2</b></div>'; Huge thank you kratsg.

Thank you for your help and I can see what you're doing here. However, I get this error: Parse error: syntax error, unexpected T_DNUMBER, expecting T_VARIABLE or '$' in /home/sites/**********/**********/***.php on line 66 Line 66: <?php $replace_true = '<strong>PM to '.$1.':</strong><div style="margin:0px 10px;overflow:auto;color:#000000;font-size:8pt;line-height:10pt;padding:5px;background-color:#FFFF99;border:3px solid #A6A6A6;width:93%;"><b>'.$2.'</b></div>'; ?>

Basically what I'm trying to do is a mini-PM system in a Forum where people could write a post such as: Now, everyone else would see 'This is my post' but only I (petsmacker), would see that whoever posted that message loves me. Here is the offending part of my code so far. <?php $patterns = array( '`\[PM=(.+?)\](.+?)\[/PM\]`is', ); $replaces = array( '<strong>PM to \1:</strong><div style="margin:0px 10px;overflow:auto;color:#000000;font-size:8pt;line-height:10pt;padding:5px;background-color:#FFFF99;border:3px solid #A6A6A6;width:93%;"><b>\2</b></div>', ); if ($patterns[0][0] == $realname){ $string = preg_replace($patterns, $replaces , $string); } ?> $realname is the username variable - which works. My main thoughts regard the $patterns[0][0] part, my knowledge of arrays and regex are woeful, how could I get it so that it extracts the username they've written, in order for it to be compared?

Thank you very much

I'm sorry, I did say I was terrible with Regex, I tried to implement some of the techniques on the thread and change the tags but kept going wrong. As a general update my script so far has got to this: $tbhgcode1 = preg_replace("[\](.*?)]", "]", $tbhgcode1);

I'm trying to get a piece of code to remove any parts of it that are not contained with brackets like these [ ] I'm terrible at REGEX and have put this together from random other bits of REGEX around my site. $tbhgcode1=preg_replace("/\[(.*?)\]/is" ,"" ,$tbhgcode1); Basically what I need it to do is the opposite of what it does now, it needs to remove the bits that AREN'T in the brackets. Can you help?

Doesn't work (And I did change the variable at the end of the example you gave to $tt)

Fert, your solution almost works $tt="http://www.tbhg.co.uk/forum/thread.php?t=8&page=100"; $url=preg_replace("/&page=[0-9]/","",$tt); echo "$tt<br>$url"; Comes out as: http://www.tbhg.co.uk/forum/thread.php?t=8&page=166 http://www.tbhg.co.uk/forum/thread.php?t=866 It only removes the first number, the problem being that the page number could be anything to infinity.

What I'm trying to do is turn a URL like this: http://www.blabla.com/file.php?t=5&y=4&page=1 Into: http://www.blabla.com/file.php?t=5&y=4 The URL will be in a string. I want the entire 'page' variable removed from the URL. Bear in mind the page variable could be anywhere in the URL. How could this be done? Hope you can help.

Heck, I wish it was possible to edit posts on here. I've managed to fix my own problem in my own script by changing $chunks = explode(" ", $postedmessage); to $chunks = explode(" ", nl2br($postedmessage)); === However, my way of doing it is reaaaally bad, I hope someone can answer my original question with an answer that doesn't use so much server brains.

How could I then get it to stop the loop if an offending word was found And then turn the offending word into a variable? ------------------------------ I've worked a little on my original script, it sorts the problem of spaces and punctuation besides real swear words, my only problem now is line breaks. If I write [quote]My name is ass[/quote] It would find it fine and stop it. However if I write it like this: [quote]My name is ass[/quote] Then it doesn't, it sees the word as 'isass'...anyone know how to fix that? Script in question: [code]<?php $chunks = explode(" ", $postedmessage); $chunks = preg_replace('~[^a-zA-Z]~', '', $chunks); $countarr=count($chunks);$c=0; while ($c < $countarr){ $cuss=mysql_query("SELECT word FROM swearwords"); $num8=mysql_numrows($cuss);$i8=0; while ($i8 < $num8) { $word=mysql_result($cuss,$i8,"word"); if ($chunks[$c] == $word){$c=$countarr;$i8=$num8;$theword=$word;$countsws=1;} // Halts everything and alerts filter with $countsws as 1 ++$i8;} ++$c;}?>[/code] ----------- If you/anybody could answer either of my questions it'd be really great!

The idea had gone through my mind but if somebody wrote something like: 'Petsmacker is an ass.' It wouldn't block it because the word 'ass' was next to a full stop. This also happens if somebody JUST wrote the word 'ass' on a post and then submitted.

You're telling me that of all the advanced problems people post on these forums, this one has no solvable solution?

I'm trying to work on a posting system for my members but obviously want to be able to filter obscenities. My problem is that the word 'ass' is a word I'd want to block. However if I say 'assess' - my filter would incorrectly block it. I need help to create a filter that filters the EXACT word. I've found plenty of others on the net that don't do that and just do something like '***ess' (ass) and '****ake' (shit) Here's my script in progress (yes its basic but bear with me): [code]<?php $cuss=mysql_query("SELECT word FROM swearwords"); $num8=mysql_numrows($cuss);$i8=0; while ($i8 < $num8) { $word=mysql_result($cuss,$i8,"word"); $countsws=substr_count(strtolower($postedmessage), strtolower($word)); if ($countsws > 0){$i8=$num8;$theword=$word;} // Halts loop and grabs swear word in $theword variable ++$i8;}?>[/code] How can I get it to block the word and ONLY the word?

Having to Bump. Sorry!! Really need help with this one.

I'm trying to get multiple rows in my database to update using a loop. I send the info through this form: [code]<form method="POST" style="margin-bottom:0;" action="staffinfo.php?do=updateallinfo"> <?php $result9998=mysql_query("SELECT * FROM staff_info"); $num9998=mysql_numrows($result9998); $i=0;$no="1"; while ($i < $num9998) { $si_id=mysql_result($result9998,$i,"id"); $si_name=mysql_result($result9998,$i,"name"); $si_info=mysql_result($result9998,$i,"info"); $si_order=mysql_result($result9998,$i,"order"); ?> <tr> <td valign="top"><center><input type="text" name="si_name<?echo "$no"; ?>" size="10" maxlength="20" value="<?echo "$si_name"; ?>"></center></td> <td valign="top"><center><input type="text" name="si_order<?echo "$no"; ?>" size="2" maxlength="2" value="<?echo "$si_order"; ?>"></center></td> <td><center><textarea name="si_info<?echo "$no"; ?>" cols=44 rows=6><?echo "$si_info"; ?></textarea></center></td> </tr> <?$no=$no+1;?> <?++$i;}?> </table><br><input type="submit" value="Submit"></form>[/code] Then on the 'do=updateallinfo' page: [code] <?php $r=1; while ($r < $si_counttot){ $yourname=preg_replace("/(<[^>]+>)|[^\w-]+/","",$_POST['si_name$r']); $yourinfo=trim(addslashes(strip_tags($_POST['si_info$r']))); $yourorder=ereg("^[0-9]+$", $_POST['si_order$r']); $updateit=mysql_query("UPDATE staff_info SET info='$yourinfo', name='$yourname', order='$yourorder' WHERE name='$yourname'"); ++$r;} header ("location: $ref");exit();?>[/code] You may or may not see what I'm trying to do, I'm no good at working with arrays but I felt that in theory, this should work. It doesn't. If I echo '$_POST['si_name4'] for example, it does echo the correct value. However when I echo '$yourname' the value disappears - this is the case for the other variables too. Please help me, I don't know why the variables aren't passing to $yourname, $yourinfo and $yourorder. Hope you can help.

Alright, my host automatically adds \'s to posts too but I don't know if my original question has been answered. If someone was to add: ' OR ''=' Into a password field like it says in my 2nd post, would it pose a threat - would it pose a threat with the original script I posted? Or should I change it to the way you have yours? Would it make a difference?

I don't really want to have to automatically edit what my members post simply because they may be a threat. If somebody for whatever reason did want to post: \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'content\\\\\\\\\\\\\\\\\\, then it would come out like that but of course, I still don't want my site to be threatened. There must be a way for posts to come out whole and good - even with protection added on. I found this script: function quote_smart($value) {   if( is_array($value) ) {       return array_map("quote_smart", $value);   } else {       if( get_magic_quotes_gpc() ) {           $value = stripslashes($value);       }       if( $value == '' ) {           $value = 'NULL';       } if( !is_numeric($value) || $value[0] == '0' ) {           $value = "'".mysql_real_escape_string($value)."'";       }       return $value;   } } Do you think if I changed the : [i]if( count( $_GET ) > 0 ){stripslashes_gpc( $_GET );} if( count( $_POST ) > 0 ){stripslashes_gpc( $_POST );} if( count( $_COOKIE ) > 0 ){stripslashes_gpc( $_COOKIE );}[/i] To: [i]if( count( $_GET ) > 0 ){quote_smart( $_GET );}[/i] ...and so on - would it work?

And that completely stops SQL Injections? One example PHP.net was this: $query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"; mysql_query($query); // We didn't check $_POST['password'], it could be anything the user wanted! For example: $_POST['username'] = 'aidan'; $_POST['password'] = "' OR ''='"; SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' Which would allow anybody to login without a password. (Though I'm thinking about this in terms of creating my own forum) - So something like the above couldn't happen with your code?

Hey, I'm almost certain my site has a few security holes and have begun work trying to patch them up - one way is by preventing SQL Injections. The PHP.net site recommends this kind of strategy: [code]<? if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; }?>[/code] This is a PHP file included on every page of my site: [code]<? function stripslashes_gpc( &$var ){ while( list( $key, $value ) = each( $var ) ){ if( is_array( $var[$key] ) ){ stripslashes_gpc( $var[$key] ); } else { $var[$key] = stripslashes( $value ); } } reset( $var ); } if( count( $_GET ) > 0 ){stripslashes_gpc( $_GET );} if( count( $_POST ) > 0 ){stripslashes_gpc( $_POST );} if( count( $_COOKIE ) > 0 ){stripslashes_gpc( $_COOKIE );} ?>[/code] How could I possibly implement the above code into this file so that $_GET, $_POST and $_COOKIE variables are protected. Is there any way of doing this - by only editing this or a few files rather than systematically going through every page on my site and editing them?

You legend. Thats exactly what I was asking for, perfectisimo. Have got it going now. Thankyou!

Right, thanks...think I'll do a bit of work with some IF statements and see what I come out with.

The layout of my database doesn't work like that, if it did I really wouldn't have a problem. Each user in their row of the database has what team they're in and how many points they've personally earnt this month. This is then tallied up for each person in each team to come to the team totals. So I can't do it that way. And plus, even if I did do it in descending order, it would allow team positions such as 1,2,3,3 if two teams had the same amount of points.