Can this search script be SQL injectable

Question

This site has me all paranoid about SQL injection as far as I can notice this search has prepared statements and is MSQLI but could still be injectable

thanks

<?php

$searchTerm = trim($_GET['keyname']);

if($searchTerm == "")
{
    echo "Enter name you are searching for.";
    exit();
}

$host = "localhost";
$db = "DB";
$user = "user";
$pwd = "pass";

$link = mysqli_connect($host, $user, $pwd, $db);

$query = "SELECT * FROM TABLE WHERE Name LIKE '%$searchTerm%'";

$results = mysqli_query($link, $query);


if(mysqli_num_rows($results) >= 1)
{
    $output = "";
    while($row = mysqli_fetch_array($results))
    {

echo "<td align='center' width='60'>" . "<a href=\"{$row['page']}\"><img src=\"{$row['img']}\">" ."</td>";
    }
    echo $output;
}
else
    echo "There was no matching record for the name " . $searchTerm;
?>

You wrote **this search has prepared statements**. No it doesn't. You're just expanding the variable directly into the query, you're not using a prepared statement with parameters. — Barmar, Jun 29 '14 at 14:52

score 0 · Answer 1 · answered Jun 29 '14 at 14:53

0

Yes. You have not done anything to filter the $searchTerm variable which means that any code which someone inserts into the URL could be executed within the SQL statement. You can use the mysqli_real_escape_string to escape the variable.

$searchTerm = mysqli_real_escape_string($link, $_GET['keyname']);

See http://www.w3schools.com/php/func_mysqli_real_escape_string.asp for reference.

answered Jun 29 '14 at 14:53

James Walker

795
2
6
22

trust me w3school isnt great source to learn ... though whatever float the boat :) – NullPoiиteя Jun 29 '14 at 16:05

Can this search script be SQL injectable

1 Answers1