strpos

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lmh85
Forum Commoner
Posts: 49
Joined: Sat Oct 28, 2006 10:49 am

strpos

Post by lmh85 »

Hi everyone.. :)

I am stuck with my problems on the strpos() function.

Code: Select all

function sqlInject($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");

	$phrase = strtoupper($phrase);
	$countBan = count($ban);
	$numOfBans = 0;
	
	for($i=1;$i<=$countBan;$i++){
		$pos = strpos($phrase,$ban[$i]);
		if($pos === true){
		$numOfBans = 1;
		}

	}
return $numOfBans;

}
The above is one of the function used to do a little detection of any sql injections.
I had tried validating this function by using a print line but it kept showing its 0 (numOfBans) when i had
entered one or more of the array content.

Please help! Thanks million! :bow:

If you do have any good ways to prevent sql injection, please do post too!

Thanks again!
lmh85
Forum Commoner
Posts: 49
Joined: Sat Oct 28, 2006 10:49 am

Post by lmh85 »

Hi TheMoose,

Thank you so much for replying.

Yes, Supposedly its searching of Needles in Haystack.

$phrase is the $Haystack and $ban are the $needles.

Any wrong any where? *scratch head* :(
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strpos() doesn't return boolean true, it returns the position.
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

I misread some of your stuff, so I deleted my reply because it was wrong.
lmh85
Forum Commoner
Posts: 49
Joined: Sat Oct 28, 2006 10:49 am

Post by lmh85 »

Thanks so much for the help!!

so, if it don't find any of the needles in the haystack, it suppose to return -1 for the $pos?

i tried using

Code: Select all

if($pos >= 0){
$numOfBans = 1;
}
and it always returns 1 even if i enter in "SELECT FROM" which is not in the array.

help!

Any help is very much appreciated! Thanks in advanced!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Try strstr() instead of strpos for searching a string. Then, if you know that the string is found in the other string, use strpos to find where.
lmh85
Forum Commoner
Posts: 49
Joined: Sat Oct 28, 2006 10:49 am

Post by lmh85 »

Hi,

Thanks so much for the reply..

I had tried using

Code: Select all

strstr()
also..

But it seems to be my logic problem.. Anybody can spot my mistake? =(

Code: Select all

function sqlInjectDetect($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");

	$phrase = strtoupper($phrase);
	$countBan = count($ban);
	$numOfBans = 0;
	
	for($i=1;$i<=$countBan;$i++){
		$pos = strstr($phrase,$ban[$i]);
		if($pos === true){
		$numOfBans = 1;
		}
	}
return $numOfBans;

}
I had get the results printed out..

Code: Select all

print(sqlInjectDetect("DELETE FROM"));
Returns 0

Code: Select all

print(sqlInjectDetect("Hello FROM"));
Returns 0 too

Both of the test returns 0.. anybody could tell? =(
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

This works for me:

Code: Select all

<?php
function sqlInjectDetect($phrase) { 
  $ban = array('DELETE FROM', 'INSERT INTO', 'LOAD DATA', 'TRUNCATE TABLE'); 
  $countBan = count($ban); 
  $numOfBans = 0; 

  for ($i = 0; $i < $countBan; $i++) { 
    if (stristr($phrase, $ban[$i]) !== false) {
      $numOfBans++;
    } 
  } 

  return $numOfBans; 
}

$term = 'DELETE FROM';
echo 'Ther term ' . $term . ' shows up ' . sqlInjectDetect($term) . ' times.';
?>
lmh85
Forum Commoner
Posts: 49
Joined: Sat Oct 28, 2006 10:49 am

Post by lmh85 »

Thanks so much!! It works!! :D
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You're welcomce. I'm glad it worked out for you.
Post Reply