Page 1 of 1

baffled by stripos

Posted: Thu Mar 12, 2009 11:25 am
by oboedrew
I'm a bit baffled by php's stripos function. This is my first attempt at using it. I'm trying to use it to prevent header injection in a contact form.

Code: Select all

 
if(stripos($message, 'to:') || 
    stripos($message, 'cc:') || 
    stripos($message, 'bcc:') || 
    stripos($message, 'content-type:') || 
    stripos($message, 'mime-version:') || 
    stripos($message, 'content-transfer-encoding:'))
{
    displays warning, does not send email
}
else{
    sends email
}
 
Strangely, this works only if two or more of the prohibited strings are included in the message, but the message goes through with no warning displayed if only one of the prohibited strings is included. Can anyone explain this to me?

Thanks,
Drew

Re: baffled by stripos

Posted: Thu Mar 12, 2009 1:07 pm
by Mark Baker
Firts thing to watch for with strpos() or stripos() is the needle you're looking for being found at position 0 in the haystack. 0 is also b00llean False unless you're using strong type checking.

if((stripos($message, 'to:') !== False))

Re: baffled by stripos

Posted: Thu Mar 12, 2009 1:19 pm
by oboedrew
Ah, I get it. The position of "to:" was 0 because it's the first thing I typed in the test message. Makes perfect sense now.

Thanks,
Drew