So James Patterson keeps trying to hack my website! Okay, not really, but he has written quite a few books that have titles starting with "Kill" which triggers a HTTP 501/HTTP 505 from our server side firewall.
Here's the situation, our Library Software generates a weekly email report all of the new books added to the collection in the last week. I've made a form (using php/html) where we can C&P this data in and it will transform it into a nice little page showing off our new titles. Once the form is submitted I sanitize the data before it's added to a MySQL database. The "Kill" trigger happens before the data from the form can be passed and processed. The data comes in the format:
Kill shot : an American assassin thriller / Vince Flynn|Flynn, Vince|2012|9781416595205 (hbk.)|NEWBKSHELF|20120207|
I think the way to do this would be a little bit of javascript that changed every instance of kill to something innocuous and then change it back when I am inserting it into the MySQL db.
However there can be hundreds of entries like the one above, and I'm not very good with javascript, and I'm not sure the how to accomplish the first half of this (eg changing every instance of kill to kxll and Kill to Kxll.) I am fairly confident that when I save the data I can safely change kxll back.
You should hook into the onSubmit() of the form, then check every field, and then replace the value of the submitted field when it contains kill. Best this is done with JQuery, for example
$(function() {
$("#formid").bind("submit", function(event) {
$('input')
.filter(function(){return $(this).val().indexOf("kill") !== false;})
.each( function(index,element) {
$(this).val($(this).val().replace(/kill/i, "kxll"));
});
});
});
Demo here: http://jsfiddle.net/49psu/4/
You might want to use $('input[value*="kill"]') and .replace(/kill/ig, "kxll") if you want to catch 'kill' anywhere in the inputs.
For more info:
http://w3schools.com/jsref/jsref_replace.asp (javascript replace)
had a similar problem and my fix is... unorthodox but it did worked.
yourField.replace(/kill/ig, '(ILLEGALTAG#1)');
if you want it to display correctly before he submit form, just put the function on a onsubmit
and you make a sql that contain your illegal tags.
so DB
ID | Word
1 | Kill
when you want to export your data just replace the occurence live.
please note: this solution IS NOT IDEAL, it's just a fix if you rlly can't use alternative (like fix firewall)
Since you don't know if kill is the only special word which is not allowed (maybe man, cat, ls are also forbidden?), you could encode the entire string. For instance, you could convert it to charcodes using this method http://bateru.com/news/2009/10/javascript-tips-convert-string-to-unicode-values/ Then, convert it back on the server side.
On submit, you could build a JSON object from the form, then BASE64 encode it and submit it through AJAX while cancelling the original form submit. Base64 decode on the server is natively supported in PHP through
base64_decode($string);
See http://php.net/manual/en/function.base64-decode.php
Base64 on the client-side works through
btoa(string)
See https://developer.mozilla.org/En/DOM/Window.btoa for more info. Only works in Chrome and Firefox natively, otherwise use the script as mentioned here