AshlynnJ Posted May 8, 2017 Share Posted May 8, 2017 (edited) i am trying to setup the register form to check banned words, to help block spammers or fake accounts. but it only sees lower caps, but will see the cap word if i had it to the list, admin, Admin. not sure how to add it so it will check the word for lower and caps, without adding 2 of every word. here is what i have, sorry if its messy im still learning. //ignore this, was trying to load it from a file not like below :/ $bannedtext = file_get_contents("../files/bannedwords.txt"); $bannedwords = array("/admin/", "/Admin/", "/administrator/", "/moderator/", "/Administrator/", "/Moderator/", "/creditcard/", "/Creditcard/", "/employment/", "/Employment/", "/support/", "/Support/", "/clearance/", "/Clearance/", "/investment/", "/Investment/", "/gift/", "/Gift/", "/certificate/", "/Certificate/", "/nigerian /", "/Nigerian /", "/prince/", "/Prince/", "/congratulations/", "/Congratulations/", "/sales/", "/Sales/", "/director/", "/Director/", "/owner/", "/Owner/"); if($_POST['userid'] == preg_replace($bannedwords, "", $userid)) { $idok = 1; } else { //smarty reject $is_error = 1; $error_message = "username contains a banned word!"; } it works fine, but it will skip cap word Admin, if it's not listed as a cap... not sure how to optimize it, any help would be great! thanx in advance to all ya , jk Edited May 8, 2017 by AshlynnJ Quote Link to comment Share on other sites More sharing options...
dkub Posted May 8, 2017 Share Posted May 8, 2017 Use the i (case insensitive) modifier. http://php.net/manual/en/function.preg-replace.php http://php.net/manual/en/reference.pcre.pattern.modifiers.php http://www.phpliveregex.com/p/k1P Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 8, 2017 Share Posted May 8, 2017 First the usual disclaimer: Blacklists are naive and unlikely to stop actual attackers. If you think you've covered every possible term, they'll come up with a new trick. For example, "ADMlN" with a small "L" instead of the "I" looks like an uppercase "admin", but it will pass your filter. In case you allow Unicode names, things are even worse, because there are countless letter variations all looking alike. A much better approach is to solve the underlying problem. For example, if you're worried that other users may get deceived by somebody with the name "admin", then make sure regular users and actual administrators are easy to distinguish visually. On this forum, admins have red badges, so the risk of confusion is rather low. If you don't care about effectiveness and absolutely want your blacklist, then it doesn't make much sense to fire up the regex engine for a few substring checks. PHP itself can do that just fine: stripos() performs a case-insensitive substring search. Quote Link to comment Share on other sites More sharing options...
AshlynnJ Posted May 8, 2017 Author Share Posted May 8, 2017 (edited) Use the i (case insensitive) modifier. http://php.net/manual/en/function.preg-replace.php http://php.net/manual/en/reference.pcre.pattern.modifiers.php http://www.phpliveregex.com/p/k1P I just tried it but it did not work, did i place it wrong? Or am i missing a symbol, i did a google search for the phrase. if($_POST['userid'] == preg_replace($bannedwords, "#i", $userid)) { First the usual disclaimer: Blacklists are naive and unlikely to stop actual attackers. If you think you've covered every possible term, they'll come up with a new trick. For example, "ADMlN" with a small "L" instead of the "I" looks like an uppercase "admin", but it will pass your filter. In case you allow Unicode names, things are even worse, because there are countless letter variations all looking alike. A much better approach is to solve the underlying problem. For example, if you're worried that other users may get deceived by somebody with the name "admin", then make sure regular users and actual administrators are easy to distinguish visually. On this forum, admins have red badges, so the risk of confusion is rather low. If you don't care about effectiveness and absolutely want your blacklist, then it doesn't make much sense to fire up the regex engine for a few substring checks. PHP itself can do that just fine: stripos() performs a case-insensitive substring search. yes i already have it setup in the profile, mail, chat, comments/replys, so that users show (normal user TAG), and admin/mods show (Golden Border) around their avatars + the (Special User TAG) i just want to make it harder for somebody to cheat the system and try to scam my users. my friend tried using her paintshopx14 to mimic it, but it always looked fake, came out "smaller fake border around it" and still normal user tag under the cheat avatar. so i think its the best i can offer my users for now. i also just added [Report Fake User] option under the avatars for extra prevention. i also made like 40 pages of help docs talking about how to tell, but ya know ppl. reading? ptff as if lol. Edited May 8, 2017 by AshlynnJ Quote Link to comment Share on other sites More sharing options...
AshlynnJ Posted May 8, 2017 Author Share Posted May 8, 2017 (edited) could not edit post.. i hate that, but i found if i modify the actual words, it will match upper and lower. weird i thought it had to be in the post check, im still learning, but is this ok to do? and the best way? $bannedwords = array("/admin/i", "/administrator/i", "/moderator/i", "/creditcard/i" and so on. it seems to work fine, but wanted to ask if its ok, and the best to do it like that. and to Jacques1, thanx for the heads up. i also added, new phrases. "/admin/i", "/admln/i", "/admîn/i", "/admïn/i", "/admìn/i" so on. so now even admìn_ shows as banned word. Edited May 8, 2017 by AshlynnJ Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 8, 2017 Share Posted May 8, 2017 and the best way? No. Re-read the part about how it's nonsensical to use full-blown regular expressions for trivial substring checks. Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 8, 2017 Share Posted May 8, 2017 No. Re-read the part about how it's nonsensical to use full-blown regular expressions for trivial substring checks. Agree with Jacques1 (especially his first post). But, if you are adamant on doing this - do not use regular expression. You can use stripos() as Jacques suggested. But, you have to also consider whether a "banned" word could exist within a word that is not banned. E.g., what if a user wanted the User ID "MadMinute" (a firearm term)? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 8, 2017 Share Posted May 8, 2017 so on. so now even admìn_ shows as banned word. But not “admín” or “admi̊n”. And if you add those, I'll come up with something else. Do you understand now what I mean when I say that blacklists are stupid? Quote Link to comment Share on other sites More sharing options...
fatkatie Posted May 8, 2017 Share Posted May 8, 2017 $black = toupppercase(" |badguy|corn|boat|"); $needle = ' |'. toUpperCase($needle) . '|'; if (strpos($black, $needle)) ... Unless black is huge, this should fast and reliable. (php calls may be wrong) Quote Link to comment Share on other sites More sharing options...
AshlynnJ Posted May 8, 2017 Author Share Posted May 8, 2017 Agree with Jacques1 (especially his first post). But, if you are adamant on doing this - do not use regular expression. You can use stripos() as Jacques suggested. But, you have to also consider whether a "banned" word could exist within a word that is not banned. E.g., what if a user wanted the User ID "MadMinute" (a firearm term)? i will look into stripos(), i am waiting for several books from amazon to arrive. but i have not posted it with it in there "live", but i still want to block the main account words. so i create 6 inactive accounts, to not block a new username that might have it in there. it checks the users to see if it exists on signup, so at least they cannot use those exact names again. But not “admín” or “admi̊n”. And if you add those, I'll come up with something else. Do you understand now what I mean when I say that blacklists are stupid? i dont think trying to protect ppl is stupid, i am just trying to figure out the best way to go about it. to have a better user exp, but maybe a new different way is better. but i will figure something out thanx, at least i got it to show normal user and special users. it was confusing before, myself and mods all had normal usernames, i like hiding in the comments XD. it may prevent some of these parasites from taking advantage of ppl... showing them as a normal user no matter what their username is. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.