-2

I was just wondering If anyone knew any good ways to prevent Sql Injections on this code. The Last thing I want is someone hacking my database. I am fairly new to this and would like to hear expert opinions. Thanks.

<?php
    $input = $_GET['input'];//Note to self $input in the name of the search feild
    $terms = explode(" ", $input);
    $query = "SELECT * FROM content WHERE ";

    foreach ($terms as $each){
        $i++;
        if ($i == 1)
            $query .= "keywords LIKE '%$each%' ";
        else
            $query .= "OR keywords LIKE '%$each%' ";
    }

    // connecting to our mysql database
    mysql_connect("localhost", "username", "password");
    mysql_select_db("database");

    $query = mysql_query($query);
    $numrows = mysql_num_rows($query);

           if ($numrows > 0){
                 $i = 0;
                             while ($row = mysql_fetch_assoc($query)){
                              $i++;

            $id = $row['id'];
            $title = $row['title'];
            $description = $row['description'];
            $keywords = $row['keywords'];
            $link = $row['link'];
            $plink = $row ['plink'];
            $views = $row ['views'];

                if($i == 3){
            echo '<td valign="top" "width="248" height="100%">
            <table width="100%" border="0">
             <tr>
                 <td align="center" valign="top"><a href='.$link.'>
                 <img src='.$plink.'width="200" height="151" vspace="5" />
            <br><b><a href='.$link.'>'.$title.'</b></a>
              <br><strong><span style="line-height:20px">Total views: '.$views.'</span></strong>
                 </td>
                  </tr>
                 </table>
                 </td><tr>';



            }


            else{

            echo '<td valign="top" "width="248" height="100%">
            <table width="100%" border="0">
             <tr>
                 <td align="center" valign="top"><a href='.$link.'>
                 <img src='.$plink.'width="200" height="151" vspace="5" />
            <br><b><a href='.$link.'>'.$title.'</b></a>
              <br><strong><span style="line-height:20px">Total views: '.$views.'</span></strong>
                 </td>
                  </tr>
                 </table>'
                           ;

                }
                     }


        }





    else
        echo "No results found for \"<b>$input</b>\"";



    // disconnect
    mysql_close();
?>
user3349271
  • 5
  • 1
  • 4
  • 3
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – AyB Feb 25 '14 at 05:38
  • check here http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – krishna Feb 25 '14 at 05:38
  • Use PDO with [parametrerized](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) query. – Rikesh Feb 25 '14 at 05:39

1 Answers1

0

  1. First of all donot use mysql_* function like mysql_query, mysql_connect etc

  2. Use mysqli or PDO, As you are getting data from user so always use Prepared statements as pointed out by @I Can Has Cheezburger.

docs link: http://php.net/manual/en/book.pdo.php

If still you are using mysql_* functions then use mysql_real_escape_string and htmlentities.

But recommended is to switch to mysqli or PDO with Prepared statements.

Tutorials: http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

Maz I
  • 3,664
  • 2
  • 23
  • 38