0

I have a field on a real estate search form asking for Min to Max number of bedrooms. The PHP query extract to return the search results is;

//check bedrooms
if(!empty($_GET["room_no_min"]) && is_numeric($_GET["room_no_min"])){
     $query[] = "'No_Bedrooms' >= '".$_GET["room_no_min"]."'";
     $room_min_val = $_GET["room_no_min"];
}
if(!empty($_GET["room_no_max"])){
     $query[] = "'No_Bedrooms' <= '".$_GET["room_no_max"]."'";
     $room_max_val = $_GET["room_no_max"];
}

Which is fine, but I want it to take into account if someone enters the value 5 (min) to 2 (max) i.e. the other way round than they are suppose to. I don't want to use validation I'd rather the query could be something like from =>min(room_no_min,room_no_max) and <= max(room_no_min,room_no_max) but not sure how to re-write the query.

Naz
  • 900
  • 2
  • 10
  • 25
  • Please see http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php – WouterH Mar 13 '13 at 15:57
  • Which database engine are you using? – Ares Mar 13 '13 at 15:57
  • I'm using PHP 5?Is that what you mean? – Naz Mar 13 '13 at 16:23
  • @WouterH I don't understand your response, what am I suppose to be looking at? – Naz Mar 13 '13 at 16:23
  • @Naz The code you posted is vulnerable to SQL injections. This is a pretty big deal, and you should do something to prevent it. – WouterH Mar 13 '13 at 16:24
  • @WouterH That link is irrelevant to the problem at hand. The SQL injection can be mitigated by the use of PDO or an ORM, which you dont know about. You just assummed the OP was using raw sql. (its a pretty good assumption, but it just confuses them more) – Husman Mar 13 '13 at 16:26
  • @WouterH What can I do to prevent SQL injection? – Naz Mar 13 '13 at 17:55

1 Answers1

2

Why dont you use the PHP max() and min() functions?

$room_min_val = min($_GET["room_no_min"], $_GET["room_no_max"]);
$room_max_val = max($_GET["room_no_min"], $_GET["room_no_max"]);

updated code:

if(!empty($_GET["room_no_min"]) && is_numeric($_GET["room_no_min"])){
     $room_min_val = $_GET["room_no_min"];
} // else throw an error maybe?
if(!empty($_GET["room_no_max"]) && is_numeric($_GET["room_no_max"])){
     $room_max_val = $_GET["room_no_max"];
} // else throw an error maybe?

$room_min_val = min($_GET["room_no_min"], $_GET["room_no_max"]);
$room_max_val = max($_GET["room_no_min"], $_GET["room_no_max"]);

$query[] = "'No_Bedrooms' >= '".$room_min_val."'";
$query[] = "'No_Bedrooms' <= '".$room_max_val."'";
Husman
  • 6,819
  • 9
  • 29
  • 47
  • I can't get it to work with the code .e.g $query[] = "'No_Bedrooms' >= '".$_GET["room_no_min"]."'"; maybe i put the dot/commas in the wrong place or something. – Naz Mar 13 '13 at 16:25
  • Your doing it wrong pal. See my updated code. And also do something about your SQL, it is quite insecure. – Husman Mar 13 '13 at 16:32
  • Thanks. I know what and SQL injection is but a) all the fields are drop downs, is it still susceptible and b) what can I do about it. – Naz Mar 13 '13 at 17:34
  • Yes dropdowns are susceptible. Anything sent from the client browser can be edited (i.e. using firebug or file->save-as or even by monitoring packets on the network and editing them). You need to look into using a more secure way of running sql queries using PHP. I would recommend PDO. – Husman Mar 14 '13 at 09:36