How to Limit Characters on Keyword Search in Backend?
3 posts by 2 authors in: Forums > CMS Builder
Last Post: Yesterday at 11:11pm (RSS)
At present I've got a very simple search page that allows me to search for entries in my product "title" field via a /listings/search.php file, which uses this sort of approach in its code:
<?php
/* STEP 1: LOAD RECORDS - Copy this PHP code block near the TOP of your page */
require_once "/system/lib/viewer_functions.php";
list($my_listRecords, $my_listMetaData) = getRecords(array(
'tableName' => 'my_list',
'perPage' => '100',
'loadCreatedBy' => false,
));
?>
<form method=POST action="/listings/search.php">
<input type="text" name="title_keyword" value="" size="16" maxlength="35" style="font-size:14px;width:auto;" />
<input type=submit name="search" value=" Search ISP by Name " style="font-size:14px;padding:6px;width:auto;">
</form>Now this works fine, but I can see there are sometimes bots looking to find weaknesses/exploits in this by searching for lots of much longer strings (e.g. "/listings/search.php?title_keyword=commande+publique+et+marchcats+testing+pays+littlepuppies").
At present I limit the frontend form entry above via maxlength="35" and in CMSB I also set the "Max Length" setting for the 'title' field (under 'Input Validation') to 35. But these are really cosmetic changes, so when you get directly crafted REQUESTS like the example above, then they bypass that.
The only output is just a kind of "no records found" result, but what I'd prefer to do is return our server's generic 404 page or just block any requests longer than 35 characters on the 'title' (title_keyword) field. Any ideas for how to do this in the PHP script, without breaking the search for normal-sized requests?
By Tim - Yesterday at 12:13pm - edited: Yesterday at 12:44pm
Hello mark99,
I think something like this should get you moving in the right direction:
<?php
/* STEP 1: LOAD RECORDS - Copy this PHP code block near the TOP of your page */
require_once "/system/lib/viewer_functions.php";
// If you prefer to just die if the keyword search is greater than 35
if (isset($_REQUEST['title_keyword'])) {
if (strlen($_REQUEST['title_keyword']) > 35) {
dieWith404('Page not found!');
}
}
list($my_listRecords, $my_listMetaData) = getRecords(array(
'tableName' => 'my_list',
'perPage' => '100',
'loadCreatedBy' => false,
));
?>Here we are saying that if the value submitted by the form ('title_keyword') is set, and if greater than 35 characters, die with a 404 response.
Another option is that you could also send the user to a custom 404 page through a redirect...
<?php
/* STEP 1: LOAD RECORDS - Copy this PHP code block near the TOP of your page */
require_once "/system/lib/viewer_functions.php";
// If you prefer to just die if the keyword search is greater than 35
if (isset($_REQUEST['title_keyword'])) {
if (strlen($_REQUEST['title_keyword']) > 35) {
header("HTTP/1.0 404 Not Found");
header("Location: /custom-404.php");
exit();
}
}
list($my_listRecords, $my_listMetaData) = getRecords(array(
'tableName' => 'my_list',
'perPage' => '100',
'loadCreatedBy' => false,
));
?>Let me know how that works out for you.
Senior Web Programmer
Interactivetools.com