Page 1 of 1
strpos
Posted: Wed Jun 06, 2007 8:48 am
by lmh85
Hi everyone..
I am stuck with my problems on the strpos() function.
Code: Select all
function sqlInject($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");
$phrase = strtoupper($phrase);
$countBan = count($ban);
$numOfBans = 0;
for($i=1;$i<=$countBan;$i++){
$pos = strpos($phrase,$ban[$i]);
if($pos === true){
$numOfBans = 1;
}
}
return $numOfBans;
}
The above is one of the function used to do a little detection of any sql injections.
I had tried validating this function by using a print line but it kept showing its 0 (numOfBans) when i had
entered one or more of the array content.
Please help! Thanks million!
If you do have any good ways to prevent sql injection, please do post too!
Thanks again!
Posted: Wed Jun 06, 2007 9:08 am
by lmh85
Hi TheMoose,
Thank you so much for replying.
Yes, Supposedly its searching of Needles in Haystack.
$phrase is the $Haystack and $ban
are the $needles.
Any wrong any where? *scratch head* 
Posted: Wed Jun 06, 2007 9:09 am
by feyd
strpos() doesn't return boolean true, it returns the position.
Posted: Wed Jun 06, 2007 9:09 am
by TheMoose
I misread some of your stuff, so I deleted my reply because it was wrong.
Posted: Wed Jun 06, 2007 9:27 am
by lmh85
Thanks so much for the help!!
so, if it don't find any of the needles in the haystack, it suppose to return -1 for the $pos?
i tried using
and it always returns 1 even if i enter in "SELECT FROM" which is not in the array.
help!
Any help is very much appreciated! Thanks in advanced!
Posted: Wed Jun 06, 2007 1:11 pm
by RobertGonzalez
Try
strstr() instead of strpos for searching a string. Then, if you know that the string is found in the other string, use strpos to find where.
Posted: Fri Jun 08, 2007 12:05 pm
by lmh85
Hi,
Thanks so much for the reply..
I had tried using
also..
But it seems to be my logic problem.. Anybody can spot my mistake? =(
Code: Select all
function sqlInjectDetect($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");
$phrase = strtoupper($phrase);
$countBan = count($ban);
$numOfBans = 0;
for($i=1;$i<=$countBan;$i++){
$pos = strstr($phrase,$ban[$i]);
if($pos === true){
$numOfBans = 1;
}
}
return $numOfBans;
}
I had get the results printed out..
Code: Select all
print(sqlInjectDetect("DELETE FROM"));
Returns 0
Code: Select all
print(sqlInjectDetect("Hello FROM"));
Returns 0 too
Both of the test returns 0.. anybody could tell? =(
Posted: Fri Jun 08, 2007 12:18 pm
by RobertGonzalez
This works for me:
Code: Select all
<?php
function sqlInjectDetect($phrase) {
$ban = array('DELETE FROM', 'INSERT INTO', 'LOAD DATA', 'TRUNCATE TABLE');
$countBan = count($ban);
$numOfBans = 0;
for ($i = 0; $i < $countBan; $i++) {
if (stristr($phrase, $ban[$i]) !== false) {
$numOfBans++;
}
}
return $numOfBans;
}
$term = 'DELETE FROM';
echo 'Ther term ' . $term . ' shows up ' . sqlInjectDetect($term) . ' times.';
?>
Posted: Fri Jun 08, 2007 2:22 pm
by lmh85
Thanks so much!! It works!!

Posted: Fri Jun 08, 2007 3:21 pm
by RobertGonzalez
You're welcomce. I'm glad it worked out for you.