How to replace forbiden words in lowercase or uppercase

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

How to replace forbiden words in lowercase or uppercase

Post by dimitris »

hi all,

i want to make $var = str_replace('DELETE','',$var);

work even when $var contains the token DELETE, delete, DeLeTe, Delete or another combination of lowercase and uppercase letters.

Do you have any suggestion such as using ereg_replace with a pattern?
User avatar
Skittlewidth
Forum Contributor
Posts: 389
Joined: Wed Nov 06, 2002 9:18 am
Location: Kent, UK

Post by Skittlewidth »

if you are using PHP5 str_ireplace() is a case insensitive string replace function.
User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

Post by dimitris »

Skittlewidth wrote:if you are using PHP5 str_ireplace() is a case insensitive string replace function.
Thanks!
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

If you don't have PHP 5 you could load a copy of the string into a temp variable. Then apply strtolower on the temp string and locate instances of 'delete' and make down the position in the string. Once you have a list of locations you can easiy filter out the words.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

No temp variables are needed...

Code: Select all

<?php
$var = str_replace('DELETE', '', strtoupper($var)); 
?>
Keep in mind this is a complete variable replacement, meaning that if the var is delete, DELETE, or any other combination of upper or lower case letters forming the word DELETE, this will replace that variable with a blank string. This will not work on strings that contain multiple words or spaces around the word (unless you use trim()). For that you will need a regular expression replacement using something like preg_replace().
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I would go down the preg_replace with the i modifier
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Jcart wrote:I would go down the preg_replace with the i modifier
I would too. You can use word break assertions then (\b). Without them you run the risk, as my friendly recently was the victim of, being kicked with the name 'badminton' when searching for string 'admin'.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

some other good examples I've seen recently: CampusCrew (screw) and msExchange (sexchange) :lol:
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If you're going to use PCRE, you'll probably want to stick all of the naughty words in one expression so you're not running preg_replace a hundred plus times.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Good idea, something like this:

Code: Select all

$words = array('scrote-um', 'pea-ness', 'vaj-china');
$wordPattern = '(';
foreach ($words as $v) {
    $wordPattern.= preg_quote($v, '~') . '|';
}
$wordPattern = ')';
$pattern= "~\b$wordPattern\b~i";
$filtered = preg_replace($pattern, $string, '<span title="I\'m naughty, are you naughty?">smurf</span>');
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

psst.. needs the trailing pipe trimmed off. ;)
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

feyd wrote:psst.. needs the trailing pipe trimmed off. ;)
crap. and i'm missing the dot here

Code: Select all

$wordPattern = ')';
well you get the picture anyway :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

You need to repeat the filtering in a loop untill no more changes are made. Otherwise consider filtering the word "delete" from the string
"dedeletelete" (highlighted for clarity)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Mordred wrote:You need to repeat the filtering in a loop untill no more changes are made. Otherwise consider filtering the word "delete" from the string
"dedeletelete" (highlighted for clarity)
The words aren't removed, they are replaced with smurf.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Jcart wrote:The words aren't removed, they are replaced with smurf.
Nice 8)
Post Reply