Page 1 of 1

strpos

Posted: Wed Jun 06, 2007 8:48 am
by lmh85
Hi everyone.. :)

I am stuck with my problems on the strpos() function.

Code: Select all

function sqlInject($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");

	$phrase = strtoupper($phrase);
	$countBan = count($ban);
	$numOfBans = 0;
	
	for($i=1;$i<=$countBan;$i++){
		$pos = strpos($phrase,$ban[$i]);
		if($pos === true){
		$numOfBans = 1;
		}

	}
return $numOfBans;

}
The above is one of the function used to do a little detection of any sql injections.
I had tried validating this function by using a print line but it kept showing its 0 (numOfBans) when i had
entered one or more of the array content.

Please help! Thanks million! :bow:

If you do have any good ways to prevent sql injection, please do post too!

Thanks again!

Posted: Wed Jun 06, 2007 9:08 am
by lmh85
Hi TheMoose,

Thank you so much for replying.

Yes, Supposedly its searching of Needles in Haystack.

$phrase is the $Haystack and $ban are the $needles.

Any wrong any where? *scratch head* :(

Posted: Wed Jun 06, 2007 9:09 am
by feyd
strpos() doesn't return boolean true, it returns the position.

Posted: Wed Jun 06, 2007 9:09 am
by TheMoose
I misread some of your stuff, so I deleted my reply because it was wrong.

Posted: Wed Jun 06, 2007 9:27 am
by lmh85
Thanks so much for the help!!

so, if it don't find any of the needles in the haystack, it suppose to return -1 for the $pos?

i tried using

Code: Select all

if($pos >= 0){
$numOfBans = 1;
}
and it always returns 1 even if i enter in "SELECT FROM" which is not in the array.

help!

Any help is very much appreciated! Thanks in advanced!

Posted: Wed Jun 06, 2007 1:11 pm
by RobertGonzalez
Try strstr() instead of strpos for searching a string. Then, if you know that the string is found in the other string, use strpos to find where.

Posted: Fri Jun 08, 2007 12:05 pm
by lmh85
Hi,

Thanks so much for the reply..

I had tried using

Code: Select all

strstr()
also..

But it seems to be my logic problem.. Anybody can spot my mistake? =(

Code: Select all

function sqlInjectDetect($phrase){
$ban=array("1"=>"DELETE FROM","2"=>"INSERT INTO","3"=>"LOAD DATA","4"=>"TRUNCATE TABLE");

	$phrase = strtoupper($phrase);
	$countBan = count($ban);
	$numOfBans = 0;
	
	for($i=1;$i<=$countBan;$i++){
		$pos = strstr($phrase,$ban[$i]);
		if($pos === true){
		$numOfBans = 1;
		}
	}
return $numOfBans;

}
I had get the results printed out..

Code: Select all

print(sqlInjectDetect("DELETE FROM"));
Returns 0

Code: Select all

print(sqlInjectDetect("Hello FROM"));
Returns 0 too

Both of the test returns 0.. anybody could tell? =(

Posted: Fri Jun 08, 2007 12:18 pm
by RobertGonzalez
This works for me:

Code: Select all

<?php
function sqlInjectDetect($phrase) { 
  $ban = array('DELETE FROM', 'INSERT INTO', 'LOAD DATA', 'TRUNCATE TABLE'); 
  $countBan = count($ban); 
  $numOfBans = 0; 

  for ($i = 0; $i < $countBan; $i++) { 
    if (stristr($phrase, $ban[$i]) !== false) {
      $numOfBans++;
    } 
  } 

  return $numOfBans; 
}

$term = 'DELETE FROM';
echo 'Ther term ' . $term . ' shows up ' . sqlInjectDetect($term) . ' times.';
?>

Posted: Fri Jun 08, 2007 2:22 pm
by lmh85
Thanks so much!! It works!! :D

Posted: Fri Jun 08, 2007 3:21 pm
by RobertGonzalez
You're welcomce. I'm glad it worked out for you.