-4

I have a php/mysql db search. When I search for html code, like /hr> tags it alters the page and creates /hr>'s. I'd like to also protect this from sql injection but I don't know how.

Can I add the real escape string somewhere? or no?

<form action='trytosearch.php' method='GET'>
<center>
<h1>My Search Engine</h1>
<input type='text' size='90' name='search'></br></br>
<input type='submit' name='submit' value='Search here' ></br></br></br>
</center>


<?php

$button = $_GET ['submit'];
$search = $_GET ['search'];

if(!$button)
echo "you didn't submit a keyword";
else
{
if(strlen($search)<=1)
echo "Search term too short";
else{
echo "You searched for <b>$search</b> <hr size='1'></br>";
mysql_connect("localhost","me_abc","pass");
mysql_select_db("table");

$search_exploded = explode (" ", $search);

foreach($search_exploded as $search_each)
{
$x++;
if($x==1)
$construct .="keywords LIKE '%$search_each%'";
else
$construct .="AND keywords LIKE '%$search_each%'";

}

$construct ="SELECT * FROM listoga_db WHERE $construct";
$run = mysql_query($construct);

$foundnum = mysql_num_rows($run);

if ($foundnum==0)
echo "Sorry, there are no matching result for <b>$search</b>.</br>";
else
{
echo "$foundnum results found !<p>";

while($runrows = mysql_fetch_assoc($run))
{
$title = $runrows ['title'];
$desc = $runrows ['description'];
$link = $runrows ['link'];

echo "
<a href='$link'><b>$title</b></a><br>
";

}
}

}
}

?>
Mr. Thompson
  • 15
  • 5
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Nanne Mar 16 '14 at 09:55

4 Answers4

1

It would be used like this.

$search = mysql_real_escape_string($_GET ['search']);

But be aware of that mysql_real_escape_string is is deprecated as of PHP 5.5.0.

http://se2.php.net/manual/en/function.mysql-real-escape-string.php

Consider using PDO instead .

Victor Häggqvist
  • 4,484
  • 3
  • 27
  • 35
0

You can, but you should look into the MySQLi or PDO extension, the mysql_ extension has been depreciated.

Typically, it would be used as you are pulling data from $_GET or $_POST:

$button = mysql_real_escape_string( $_GET['submit'] );

Note: Before you can do this, you'll need to move your mysql_connect() call before you use mysql_real_escape_string() as it needs the connection resource before it will work.

Jason
  • 1,987
  • 1
  • 14
  • 16
0

use this

$search = mysql_real_escape_string(strip_tags($_GET['search']));

But i would suggest using MySQLi or PDO parametrized queries. They are much protected.

If you want to show the tags you can use htmlentities. That way you can be sure all the symbols in tags will be showed as symbols, and not as real html tags

$search = htmlentities(mysql_real_escape_string($_GET['search']));
bksi
  • 1,606
  • 1
  • 23
  • 45
0

As opposed to the other answers, I would suggest to put the escaping as close to the DB query as possible. So do

foreach($search_exploded as $search_each) {
    $search_each_esc = mysql_real_escape_string($search_each);
    $x++;
    if($x==1)
        $construct .="keywords LIKE '%$search_each_esc%'";
    else
        $construct .="AND keywords LIKE '%$search_each_esc%'";
}

Doing so, you have the correct data throughout your program run. And the escaping, which is closely related to DB interaction, will be kept close to the DB calls.

But, as the others said as well, this is deprecated. Use PDO or mysqli instead.

If you do so, and you use prepared statements, you as well change the stuff you need, and do that close to the DB Interactions as well.

glglgl
  • 89,107
  • 13
  • 149
  • 217