0

i have a searchresult page like this

 <?php
      error_reporting(0);
    include("config_mashin.php");
        $group = $_GET['group'];
     $name = $_GET['name'];
     $tip = $_GET['tip'];
     $model =$_GET['model']; 
     $price1 = $_GET['price1'];

    if (!empty($price1)) {
      switch ($price1) {
      case 1  :  $price1 = " AND `price` BETWEEN 0.00 AND 10000000.00 ";  break; 
      case 2  :  $price1 = " AND `price` BETWEEN 10000001.00 AND 20000000.00 ";  break;  
      case 3  :  $price1= " AND `price` BETWEEN 200000001.00 AND 30000000.00 ";  break;   
      case 4  :  $price1 = " AND `price` BETWEEN 300000001.00 AND 40000000.00 ";  break;     
      case 5  :  $price1 = " AND `price` BETWEEN 400000001.00 AND 50000000.00 ";  break; 
      case 6  :  $price1 = " AND `price` BETWEEN 500000001.00 AND 70000000.00 ";  break; 
      case 7  :  $price1 = " AND `price` BETWEEN 700000001.00 AND 100000000.00 ";  break; 
      case 8  :  $price1 = " AND `price` BETWEEN 100000001.00 AND 150000000.00 ";  break; 
      case 9  :  $price1 = " AND `price` BETWEEN 150000001.00 AND 200000000.00 ";  break; 
      case 10  :  $price1 = " AND `price` >
     200000000.00 ";  break;   
            
      }
    }

    if (!empty($model)) {
      switch ($model) {
      case 1  :  $model = " AND `model` BETWEEN 1375.00 AND 1380.00 ";  break; 
      case 2  :  $model = " AND `model` BETWEEN 1381.00 AND 1385.00 ";  break;  
      case 3  :  $model = " AND `model` BETWEEN 1386.00 AND 1390.00 ";  break;   
      case 4  :  $model = " AND `model` BETWEEN 1391.00 AND 1395.00 ";  break;          
      }
    }



    $quer = "SELECT * FROM `caracter` WHERE 
               `name` LIKE '%".$name."%'
          AND `tip` LIKE '%".$tip."%'
          AND `group` LIKE '%".$group."%'".$model.$price1.";   
        
    $query=mysqli_query($connect,$quer)
    or die(mysqli_error());
    ?>
<?php while($row = mysqli_fetch_array($query)):
echo"to simplify to code i dont write this part" ?>
<?php endwhile;?>

in the above code based on user who select price or model range and car name and group best results will be shown for him or her and it works fine but i want to know how can i protect it from sql injection please help me

Malekian
  • 315
  • 8
  • 27
  • 1
    Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Wicher Visser Jun 05 '16 at 09:44

2 Answers2

0

I'm not sure how your $mysqli looks like so I'm taking default one (example #1). Just escape these variables:

$group = $mysqli->real_escape_string($_GET['group']);
$name = $mysqli->real_escape_string($_GET['name']);
$tip = $mysqli->real_escape_string($_GET['tip']);

Since $price1 and $model are overwritten by your new string, they can't be altered by user, but I would still recomment to use default: option too (in case another value is received).

I don't know if I have missed anything else but I think that's all you need for now.

Gynteniuxas
  • 7,035
  • 18
  • 38
  • 54
  • thank you very much for your answering. price and model are two drop down list which user can select certain options. thus i think i don't need to modify them? – Malekian Jun 05 '16 at 10:22
  • From what I can see and as I have already said, you're overwriting values so user has no option to inject something here. I don't think you need anything to do with `$price1` and `$model`. If you think that helped (or maybe answered too), please don't forget to upvote/mark as solution so that others could see too. If you have any additional questions, I think you can ask in here. :) – Gynteniuxas Jun 05 '16 at 10:49
0

Use mysqli_real_escape_string on all variables

$group = mysqli_real_escape_string($db, $_GET["group"]);

http://php.net/manual/en/mysqli.real-escape-string.php

Recommend way to prevent SQL Injection is Prepared statements.

FryMan
  • 1
  • 1