-1

I'm building a search function for a website. What I don't like is that if I enter some special symbols Like < or > or % or others in the search box it prints out the whole database content even if there are no such symbols in the search entries. What should I do so the search outputs only entries which contains the special symbol. And not the all entries which database contains.

Code: 

    mysql_connect("localhost","root","") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error());;
    $output = '';

    if(isset($_POST['search'])) {
      $searchq = $_POST['search'];
      $searchq = preg_replace("#[^0-9a-z]#i","",$searchq);

      $query = mysql_query("SELECT * FROM users WHERE firstname LIKE '%$searchq%' OR lastname LIKE '%$searchq%'") or die("Could not search!");
      $count = mysql_num_rows($query);
      if ($count == 0) {
        $output = 'There was no search results!';
      } else {
        while($row = mysql_fetch_array($query)) {
            $fname = $row['firstname'];
            $lname = $row['lastname'];
            $id = $row['id'];

            $output .= '<div>'.$fname.' '.$lname.'</div>';
        }

      }
    }
    ?>
    <html>
    <head>
    <title>Search</title>
    </head>

    <body>
    <div id="top">
    <form action="search3.php" method="post">
      <input type="text" name="search" placeholder="Search here" />
      <input type="submit" value=">>" />
    </form>
    </div>
    <div id="top2">
      <?php print("$output"); ?>
    </div>
    </body>
    </html>

Edited. I tried to sanitize, it still don't work as planed.

    function sanitize($data) {
      return htmlentities(strip_tags(mysql_real_escape_string($data)));
    }

    $searchq = sanitize($_POST['search']);
user3284181
  • 17
  • 1
  • 5
  • `$safeSearch = mysql_real_escape_string($unsafeSearch);` should work – Epodax Aug 12 '15 at 10:28
  • Don't pass PHP variables verbatim into SQL queries. As Chayan said, this code is open to SQL injection. – jonbaldie Aug 12 '15 at 10:52
  • maybe interesting? MySQL `like`? [How to escape literal percent sign when NO_BACKSLASH_ESCAPES option is enabled](http://stackoverflow.com/questions/5020130/how-to-escape-literal-percent-sign-when-no-backslash-escapes-option-is-enabled). – Ryan Vincent Aug 12 '15 at 11:35

1 Answers1

1

That you are vulnerable to sql injection. You should use mysqli_ or pdo. For instance you can use mysql_real_escape_string() to avoid this [Though it is not recommended].

$searchq = mysql_real_escape_string($_POST['search']);

Edited: If you sanitize your input and it returns empty string (""), than your query will be :

SELECT * FROM users WHERE firstname LIKE '%%' OR lastname LIKE '%%'

Which will always prints out the whole database content. So check your input variable $searchq after sanitize. If it contains anything than you can perform your query like that:

if(strlen($searchq) > 0)
{
  //run query
}
else{
   //error message
}
Al Amin Chayan
  • 2,460
  • 4
  • 23
  • 41
  • It's something else. It doesn't work like expected. Even when I sanitize it still outputs full database content. – user3284181 Aug 12 '15 at 10:36
  • `mysql_real_escape_string` does not escape `%` characters. If you want `%` to literally mean a percent sign (and not a wildcard), then you need to insert it as `\%` into your query to begin with. – CBroe Aug 12 '15 at 10:49