Jump to content

Trying to get a script to detect certain words.

cuboidgraphix

By cuboidgraphix
in PHP Coding Help

 Share

Recommended Posts

cuboidgraphix Member

cuboidgraphix

Posted
Posted

Hello guys,

 

I assume my problem is pretty simply for you guys, so I'm here after much battling trying to create my own.

 

I'm developing a php page where I can run MySQL queries on my database from my site through a textarea box. I want to restrict the queries to perform only Select queries, therefore I need a script that will detect words in my query such as Delete, Update and Insert. If any of these words are detected in the query, it will not perform it.  I have the  page working fine right now. It retrieves from my database. I just need a script to restrict it. 

 

Thanks.

laffin Newbie

laffin

Posted
Posted

That's what I'm getting as well.

 

first ya need to build a list of keywords ya dun want to allow.

 

than either use preg_match or stripos (case insensitive str matching) to find those keywords.

 

But first is building yer list of disallowed keywords.

helraizer Regular Member

helraizer

Posted
Posted

Something along the lines of:

 


$words = Array('UPDATE', 'DELETE', 'INSERT', 'TRUNCATE', 'CONCAT');//add your words to the list..

foreach($words AS $word) {

if (stristr($in, $word)) {

	die('Sorry, the words you inputted have been detected as a potential threat the the database and have therefore been disallowed. Sorry for any inconvenience');

} else {
	die('Thank you, your input was clean');
}

 

Sam

cuboidgraphix Member

cuboidgraphix

Posted
  • Author
Posted

Something along the lines of:

 


$words = Array('UPDATE', 'DELETE', 'INSERT', 'TRUNCATE', 'CONCAT');//add your words to the list..

foreach($words AS $word) {

if (stristr($in, $word)) {

	die('Sorry, the words you inputted have been detected as a potential threat the the database and have therefore been disallowed. Sorry for any inconvenience');

} else {
	die('Thank you, your input was clean');
}

 

Sam

 

 

Hi Helraizer,

    I tried your script and it doesn't quite work. It works for the first word 'Update' but when using 'Delete' or another word.. it says thankyou, your input was clean.

 

I have not yet made it work with my database.  this is my script so far.. maybe you can refine it for me.

...

 

<form name="form" method="get" action="<?=$PHP_SELF?>">

Open query: <br  />

<textarea name="query" rows="10" cols="60"></textarea>

<br />

<input type="submit" name="search" value="Search" />

<input type="reset" value="Clear">

</form>

 


<!-- Form Script Start -->              
<?php	
$query = @$_GET['query'];					// define find input variable
$trim = trim($query); 					// define trim whitespace from find variable

if($trim == "")
{
echo "<p>Please enter your query before submitting!</p>";
}

elseif($query == " ")
{
echo "<p>Please enter a query ...</p>";
}			

else
{
$words = Array('UPDATE', 'DELETE', 'INSERT', 'TRUNCATE', 'CONCAT');//add your words to the list..
foreach($words AS $word) 
{
if (stristr($query, $word)) 
{
die('Sorry, the query you submitted has been detected as a potential threat to the database and has therefore been disallowed.');
} 
else 
{
die('Thank you, your input was clean');
        // This is where I will connect to my database and run my query and have my output in the same page.
}													
}		
}	
?>

helraizer Regular Member

helraizer

Posted
Posted

Hmm.. Ok, sorry about that, that last bit of code didn't work so this one will.

 

<?php
<?php

/**
* @author Samuel Boulton
* @copyright 2008
*/

if(isset($_POST['submit']))
{

}

$in = $_POST['te'];

$words = Array('UPDATE', 'DELETE', 'INSERT', 'TRUNCATE', 'CONCAT');

foreach($words AS $word) {

$in = preg_replace("/$word/i","", $in);
}



?>

 

that now means that when the word like delete, DELETE, DeLEtE (any case) appears, it will be replaced with a nothing so wil be left out of the message completely.

 

 

So DELETE * FROM  will just be * FROM

 

Sam

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.