0

:)

I'm working on a server list website, but I have a problem about security with a searching bar. I would like to allow users to search servers from my website, so I did a searching bar. But when they are searching, servers are display by a system of pagination which works with affix. Some values affects a MySQL command to execute pagination. So I can't use prepare then bind_param because some param contains WHERE etc. But
To be more comprehensive, i show you the code:

    if (isset($_GET['searchserver'])){
        $searchserver = $_GET['searchserver'];
        $truevalue = '%' . $searchserver . '%';
        $this->where = "WHERE `name` LIKE '{$truevalue}' ";
    }

So, it is working, but I want to check the variable $searchserver before adding it into my $this->where. I would like to know if i can check it, and if it does not contains something different than a server name. (A server name may have numbers and letters but not strange characters like ; : , .) Is it possible ? I can't use bind param..

Thank you for your time and sorry for my bad english !

Léo
  • 39
  • 4
  • 1
    What API? If it doesn't provide prepared statements then scrap it. Also, show how you build the query, no reason to use `$this->where = "WHERE name LIKE '{$truevalue}' ";`. – AbraCadaver May 01 '19 at 15:11
  • She is builded like this: $stmt = $database->prepare("SELECT COUNT(*) FROM `servers` {$where}"); $stmt->execute(); $stmt->bind_result($total_servers); $stmt->fetch(); $stmt->close(); – Léo May 01 '19 at 15:17
  • But there's some variables added to it like this: $this->limit = "LIMIT " . ($this->current_page - 1) * $this->per_page . "," . $this->per_page; So anyone using the searchbar can enter MySQL code – Léo May 01 '19 at 15:19

1 Answers1

0

Even though it doesn't make sense why you don't use pdo ,

you can add a bunch of sanity filtering to the input

https://www.php.net/manual/en/book.filter.php

zod
  • 12,092
  • 24
  • 70
  • 106