1

i am working on a search bar which searches in a SQLSRV database.I cannnot use the sanitization method for mysql since sqlsrv doesn't have such thing. So, after looking on the internet, i used a few techniques, mostly from w3schools.Now, i don't know if they are old or hackable, or even valid.To submit the form i've used this markup :

enter <form action="<?php echo htmlspecialchars('cautare.php');?>" method="post" id="formular" name="formular">code here

in the hopes that a hacker won't be able to introduce code in the link to execute it. Then, in the php:

    $search = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $search = test_input($_POST["search"]);
}
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

This part is from W3Schools and it seems safe enough, after i've read their explanation a couple times. I've done all this was to protect from a SQL Injection attack since i'm using this code to search the database:

WHERE den_produs LIKE '%{$search}%'

I'd like to know if there is a better way of doing this and what i am doing wrong.

Thanks a lot for your time!

TakeDown
  • 75
  • 1
  • 10
  • Take a look at PDO: http://php.net/manual/en/book.pdo.php – maio290 May 01 '18 at 13:48
  • http://www.phptherightway.com/#databases – aletzo May 01 '18 at 13:50
  • For the first sample, you don't need to run `htmlspecialchars` over a hard-coded string, that's not providing any benefit at all. It's only useful for displaying user submitted data without rendering it as HTML. For the second, as everyone has already said, just use PDO. trim, stripslashes and htmlspecialchars are not sanitisation functions, they'll just end up losing information from the original submission. As an addendum, w3schools is... not great. – iainn May 01 '18 at 13:51
  • Or the SQLSRV-specific param method: http://php.net/manual/en/function.sqlsrv-prepare.php – Jared Farrish May 01 '18 at 13:52
  • If you don't want to switch to PDO you can also use [mysqli_real_escape_string](https://secure.php.net/manual/en/mysqli.real-escape-string.php) – Jonathan Lafleur May 01 '18 at 13:52
  • I cannot use PDO because i am not using MySQL, i am using MS SQL with the SQLSRV driver. Or i can use PDO with that as well? – TakeDown May 01 '18 at 13:55

0 Answers0