RE: [PHP-WIN] Passing +, =, - at post and get

Svensson, B.A.T. (HKG) Thu, 20 May 2004 07:48:17 -0700

In your second if you do a count on the occurence of a character,
but don't use the result, why not use strpos() directly?


Also if you just want to replace a single char with another
single char, then you might like to do like this:

  $String = implode(explode($String, $OldChar), $NewChar);



-----Original Message-----
From: George Pitcher
To: [EMAIL PROTECTED]
Sent: 20-5-2004 15:43
Subject: RE: [PHP-WIN] Passing +, =, - at post and get

And doing a bit more, I find that '=' and '-' are passing through OK so
I'll
need to train my users to use an alternative to '+'.

The choking seems to be with my parsing function, which I have pasted in
below:
=================================================
function sql_fltr($sql,$field,$input){
        if(strlen($input)>0){
                if( substr_count($input,"=")>0 | substr_count($input,"
-")>0 |
substr_count($input," +")>0 ){
                        $output = "";
                        $temp = str_replace(" -","|-",(str_replace("
-","|-",($input))));
                        $temp = explode("|",$temp);
                        for ($i = 0; $i <= sizeof($temp); $i++){
                                if (substr($temp[$i],0,1)=="*"){
                                        $temp[$i] = $field." like
'".rtrim(str_replace("*","%",$temp[$i]))."%'";
                                        $output.= $temp[$i]."|";
                                } elseif (substr($temp[$i],0,1)=="-"){
                                        $temp[$i] = " and ".$field." not
like
'".rtrim(str_replace("*","%",$temp[$i]))."'";
                                        $output.= $temp[$i]."|";
                                } elseif (substr($temp[$i],0,1)=="="){
                                        $temp[$i] = " and
".$field."='".rtrim(str_replace("=","",$temp[$i]))."'";
                                        $output.= $temp[$i]."|";
                                } elseif (substr($temp[$i],0,1)!="+" &&
substr($temp[$i],0,1)!="-"&&substr($temp[$i],0,1)!="*" &&
substr($temp[$i],0,1)!="="){
                                        $temp[$i] = "and ".$field." like
'%".rtrim(str_replace("=","",$temp[$i]))."'";
                                        $output.= $temp[$i]."|";
                                } else {
                                        $temp[$i] = "
".$field."='".rtrim($temp[$i])."'";
                                        $output.= $temp[$i]."|";
                                }
                        }
                        $output = " AND
".substr($output,0,strlen($output)-1);
                } else {
                        $temp = $input;
                        if (substr($temp,0,1)=="*"){
                                $temp = $field." like
'".rtrim(str_replace("*","%",$temp))."'";
                        } elseif (substr($temp,0,1)=="-"){
                                $temp = $field." not like
'".rtrim(str_replace("*","%",$temp))."'";
                        } elseif (substr($temp,0,1)=="="){
                                $temp =
$field."='".rtrim(str_replace("=","",$temp))."'";
                        } elseif (substr($temp,0,1)!="+" &&
substr($temp,0,1)!="-"&&substr($temp,0,1)!="*" &&
substr($temp,0,1)!="="){
                                $temp = $field." like
'%".rtrim(str_replace("=","",$temp))."'";
                        } else {
                                $temp = $field."='".rtrim($temp)."'";
                        }
                        $output = " AND ".$temp;
                }
        } else {
                $output = "";
        }
        return $output;
}
=================================================
This works fine if the user has eneterd either no control or the *
wildcared
with the criteria.

Any suggestions?

Cheers

George


> -----Original Message-----
> From: George Pitcher [mailto:[EMAIL PROTECTED]
> Sent: 20 May 2004 2:33 pm
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP-WIN] Passing +, =, - at post and get
>
>
> Charles,
>
> No way! This site will only have about 3-4 users as its an
> intranet and I'll
> be parsing everything at the server end.
>
> George
>
>
> > -----Original Message-----
> > From: Charles P. Killmer [mailto:[EMAIL PROTECTED]
> > Sent: 20 May 2004 2:31 pm
> > To: [EMAIL PROTECTED]
> > Subject: RE: [PHP-WIN] Passing +, =, - at post and get
> >
> >
> >  I hope you are not allowing the client to send T-SQL through the
query
> > string.  Consider them sending something like
> > File.php?Query='; drop table XXX; --
> >
> > Charles Killmer
> >
> > -----Original Message-----
> > From: George Pitcher [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 20, 2004 8:25 AM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-WIN] Passing +, =, - at post and get
> >
> > Hi,
> >
> > I want to be able to pass the '=', '+' and '-' characters both from
a
> > web form and as part of a url, to enable a better way of searching.
> > However, these characters are choking my IIS webserver and not
getting
> > through to the script.
> >
> > Can anyone suggest a better way of achieving this?
> >
> > Cheers
> >
> > George
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/) To unsubscribe,
visit:
> > http://www.php.net/unsub.php
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-WIN] Passing +, =, - at post and get

Reply via email to