Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › PHP - Check if string contains ampersand
New Posts  All Forums:Forum Nav:

PHP - Check if string contains ampersand

post #1 of 10
Thread Starter 
I'm working on a little project, and part of it involves a search feature (which works fine). I want to restrict wildcards (&, %, and _), and I have all of them except &.

Here's what I'm using to check if the string contains any of these (this particular example is the snippet for underscores), but it seems this method doesn't work with ampersands instead of underscores:
Code:
    if(strstr($word, "_")){
    echo "Query cannot contain wildcard characters ( %, &, and _ ).";
    exit;
    }

$word is the search parameter, which has been cleaned up by mysql_real_escape_string already at this point in the file.
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
post #2 of 10
Quote:
Originally Posted by tehmaggot;14409072 
I'm working on a little project, and part of it involves a search feature (which works fine). I want to restrict wildcards (&, %, and _), and I have all of them except &.

Here's what I'm using to check if the string contains any of these (this particular example is the snippet for underscores), but it seems this method doesn't work with ampersands instead of underscores:
Code:
    if(strstr($word, "_")){
    echo "Query cannot contain wildcard characters ( %, &, and _ ).";
    exit;
    }

$word is the search parameter, which has been cleaned up by mysql_real_escape_string already at this point in the file.


Have you tried using & instead of &?
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
post #3 of 10
Try a regular expression match.
[php]
if( preg_match("/_|&|%/", $word) )
{
echo "Query cannot contain wildcard characters ( %, &, and _ ).";
}
[/php]
iCode
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 2500K ASUS P8Z68 Deluxe 2X EVGA DS GTX 580 Superclocked SLI CORSAIR Vengeance 8GB (2x4GB) 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 3 MAX IOPS Edition ASUS DRW Win 7 Ultimate x64 HP ZR30w 
KeyboardPowerCaseMouse
Logitech Ultra-Thin Illuminated Keyboard COOLER MASTER Silent Pro Gold Series 1000W LIAN LI PC-B25FWB Black Logitech MX518 
  hide details  
Reply
iCode
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 2500K ASUS P8Z68 Deluxe 2X EVGA DS GTX 580 Superclocked SLI CORSAIR Vengeance 8GB (2x4GB) 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 3 MAX IOPS Edition ASUS DRW Win 7 Ultimate x64 HP ZR30w 
KeyboardPowerCaseMouse
Logitech Ultra-Thin Illuminated Keyboard COOLER MASTER Silent Pro Gold Series 1000W LIAN LI PC-B25FWB Black Logitech MX518 
  hide details  
Reply
post #4 of 10
Thread Starter 
Quote:
Originally Posted by iPoop;14410804 
Have you tried using & instead of &?
Indeed, and I was met with failure frown.gif
Quote:
Originally Posted by SiPex;14411880 
Try a regular expression match.
[php]
if( preg_match("/_|&|%/", $word) )
{
echo "Query cannot contain wildcard characters ( %, &, and _ ).";
}
[/php]
I'll try this out after I get home, thanks in advance. I'll report with any findings.
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
post #5 of 10
http://php.net/manual/en/function.mysql-real-escape-string.php#refsect1-function.mysql-real-escape-string-seealso

That's a link to the mysql_real_escape_string() function.

Go right above where the page loads (the first div when you scroll up).
Code:
[B]Note:[/B] [B]mysql_real_escape_string()[/B] does not escape % and _. These are wildcards in MySQL if combined with [I]LIKE, GRANT,[/I] or [I]REVOKE[/I].

Funny enough, two of the characters you posted about in your original post (the underscore and percent symbol) are the only two characters that don't get escaped. Fair to assume the ampersand is getting escaped?
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
post #6 of 10
Thread Starter 
Quote:
Originally Posted by SiPex;14411880 
Try a regular expression match.
[php]
if( preg_match("/_|&|%/", $word) )
{
echo "Query cannot contain wildcard characters ( %, &, and _ ).";
}
[/php]
No go on this frown.gif Thanks for trying, though.
Quote:
Originally Posted by iPoop;14415246 
http://php.net/manual/en/function.mysql-real-escape-string.php#refsect1-function.mysql-real-escape-string-seealso

That's a link to the mysql_real_escape_string() function.

Go right above where the page loads (the first div when you scroll up).
Code:
[B]Note:[/B] [B]mysql_real_escape_string()[/B] does not escape % and _. These are wildcards in MySQL if combined with [I]LIKE, GRANT,[/I] or [I]REVOKE[/I].

Funny enough, two of the characters you posted about in your original post (the underscore and percent symbol) are the only two characters that don't get escaped. Fair to assume the ampersand is getting escaped?

I'm not sure. Been a crazy day and I'm probably not thinking straight. I tried doing the checks before calling the escape, but that didn't help frown.gif Underscores and percentage signs are blocked fine, but unfortunately, ampersands still work.
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
post #7 of 10
Quote:
Originally Posted by tehmaggot;14419601 
No go on this frown.gif Thanks for trying, though.


I'm not sure. Been a crazy day and I'm probably not thinking straight. I tried doing the checks before calling the escape, but that didn't help frown.gif Underscores and percentage signs are blocked fine, but unfortunately, ampersands still work.

Would you mind sharing the function's entire code?
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
Primary PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 720 (2.8 ghz) BIOSTAR A780L3L (AM3) MSI GeForce 9800GT G.Skill Ripjaws Series DDR3 1600 (8GB) 
Hard DriveOSMonitorPower
Crucial M4 64GB / Samsung F3 1TB Windows 7 Pro (64-bit) Dell SP2309W (2048x1152) PC Power & Cooling 610W 
CaseMouse
Cooler Master Elite 430 RC Logitech MX518 
  hide details  
Reply
post #8 of 10
Actually SiPex had the right idea with using regex. Just needed some tweaking. Try this:

[php]
$pattern = '/\%|\&|_/';
$word = "kj&lkf";

if(preg_match($pattern, $word)) {
echo "Wild Card Found";
}
else {
echo "NO WILDECARD";
}
[/php]
Edited by MakubeX - 8/3/11 at 9:07am
post #9 of 10
Thread Starter 
Quote:
Originally Posted by MakubeX;14448886 
Actually SiPex had the right idea with using regex. Just needed some tweaking. Try this:

[php]
$pattern = '/\%|\&|_/';
$word = "kj&lkf";

if(preg_match($pattern, $word)) {
echo "Wild Card Found";
}
else {
echo "NO WILDECARD";
}
[/php]
No go on this, but there is good news.

My SQL query was using "LIKE", and I had wildcards (%) before and after the variable in the query so that people can get partial matches. The problem with this is, if people were passing & to the query, it was getting filtered out but still getting past my isset($_POST) check. I believe this is why checking for it wasn't working. Since it was filtered out, the query was simply running 'LIKE = %%', causing the wildcard effect. I managed to block this behavior by checking if the length of the variable was 0.

So now it checks if the query has a length of 0 (ie: & being passed through), and I can successfully filter out the other wildcards (% and _).

Thanks for the help guys!
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
magg0rt
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k @ 4.6Ghz MSI X79A-GD45 Plus PNY GTX 780 XLR8 Enthusiast Edition PNY GTX 780 XLR8 Enthusiast Edition 
RAMHard DriveHard DriveHard Drive
32GB Samsung 30nm RAM (8x4GB) 240GB Seagate SSD (Windows 8.1) 120GB Samsung 840 Pro (Fedora Linux) 120GB PNY XLR8 SSD (Steam) 
Optical DriveCoolingOSMonitor
HP DVD Writer 1070r Corsair H100i Windows 8.1 Pro x64 Planar SA2311W (120HZ) 
MonitorKeyboardPowerCase
ASUS VG248QE (144HZ) CM Storm QuickFire Pro Antec TruePower New 750w Corsair 200R 
MouseAudio
SteelSeries Xai ASUS Xonar DX 
  hide details  
Reply
post #10 of 10
Quote:
Originally Posted by tehmaggot;14449145 
No go on this, but there is good news.

My SQL query was using "LIKE", and I had wildcards (%) before and after the variable in the query so that people can get partial matches. The problem with this is, if people were passing & to the query, it was getting filtered out but still getting past my isset($_POST) check. I believe this is why checking for it wasn't working. Since it was filtered out, the query was simply running 'LIKE = %%', causing the wildcard effect. I managed to block this behavior by checking if the length of the variable was 0.

So now it checks if the query has a length of 0 (ie: & being passed through), and I can successfully filter out the other wildcards (% and _).

Thanks for the help guys!
Weird, it worked for me. Oh well, glad you fixed it.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Web Coding
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › PHP - Check if string contains ampersand