2

I have been making a search engine for my website and just got it completed i am using an ajax request to search the database and wanted to know how i can make it safe from any injections?

Search.ajax.php

    <?php 
$db = new mysqli('localhost', 'root', 'root', 'social');
$search = $_POST['search'];

$query = mysqli_query($db, 'SELECT * FROM users WHERE username LIKE "'.$search.'"');

if (mysqli_num_rows($query) < 1) {
    echo "<b>No results found for <i>".$search."</i></b>";
}else{
    while ($r = mysqli_fetch_assoc($query)) {
        $user = $r['username'];
        echo '<div>Go to <a href="profile.php?user='.$user.'">'.$user.'</p></div>';
    }
}


 ?>

I am searching the database for users that have the username of what they put in the search box. i need help making it so no one can search alert(test); if they search this it will show up an alert box here is an example of it.here is a photo of when someone puts in script tags

Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
Tyler Obier
  • 378
  • 1
  • 2
  • 15

1 Answers1

0

Firstly, you will need https to make sure you protect users from hackers by using firewalls and other required security tools.

Secondly, you need to use htaccess to change extensions, say show user .html instead of .php

Thirdly, encrypted values instead of plain text.

There are a lot more issues to take care of but its too complex and broad.

Manikiran
  • 2,618
  • 1
  • 23
  • 39
  • Thank you i will start fixing these issues now – Tyler Obier Nov 28 '15 at 18:06
  • You have to do none of this. Nothing in this answer prevents sql injection. – Hanky Panky Nov 29 '15 at 04:22
  • @Hanky웃Panky Encryption of post values before comparing to db values is a very secure of preventing sql injection. This clearly shows you have no knowledge in this field. – Manikiran Nov 29 '15 at 05:43
  • Nope it is not. How can you encrypt values in javascript anyways? any example? And sql injection has nothing to do with encryption. Their code will still be as prone to injection even after encryption. And i might not know anything but this post does : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php you might want to go through that. And also there is no need to take any offence or get personal. I just added a comment to enlighten future readers about what i believe is the right way. Maybe if you visit that post it will also help you. Down-vote isn't mine either – Hanky Panky Nov 29 '15 at 08:54
  • False sense of security is worse than having no security – Hanky Panky Nov 29 '15 at 08:59
  • 1
    @Hanky웃Panky Encryption is always done at server side not client side i.e., in php not in js. Anyways, once you encrypt the post values say, `md5($_POST["search"])` there is no way sql injection can happen. For example, if user enter `1") or 1=1 ("1` as the query, it will be encrypted before execution with database. It will become some thing like "asjhas6agsdsdusdjds234ds" which is a very secure way to check. – Manikiran Nov 29 '15 at 09:00
  • Md5 is not even encryption, its old school hashing. However even if it was encryption this logic is flawed but since you arw sticking to your knowledge there is no point in an argument. That will not even work in this query. Go ahead try it if you can write a simple search query in this answer that uses MD5 for security and also uses LIKE comparison correctly i will bite my words and award you 100 reputation as a bounty. So if i search for ***anik*** it should also return ***manikiran*** because of LIKE. Forget 100 i will award you 200. – Hanky Panky Nov 29 '15 at 16:26
  • Let's make it 300 reputation now. An extra 100 for the person who up-voted that comment. – Hanky Panky Nov 30 '15 at 13:28