0

Subject: I just started to learn PHP So I'll try to make a search using form feature then to prevent SQLijections I add mysqli_real_escape_string will it work? And please help me correct is there something wrong with my code??

my index.php :

<?php
include 'connect.php';
$sql = "SELECT * FROM anime";
$result = mysqli_query($conn, $sql);
$queryresult = mysqli_num_rows($result);
$anime = query("SELECT * FROM anime");

if (isset($_GET['s'])) {
  $search = mysqli_real_escape_string($conn, $_GET['s']);
  $sql = "SELECT * FROM anime WHERE Judul LIKE '%$search%'";
  $anime = query($sql);
}
?>
<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title></title>
  </head>
  <body>
    <form action="" method="get">
    <input type="text" name="s" placeholder="keyword">
    <button type="submit">Search</button>
    </form>
  <?php foreach ($anime as $a) : ?>
    <li><?php echo $a ['Judul']; ?></li>
  <?php endforeach ; ?>

  </body>
</html>

connect.php :

<?php
  $server = "localhost";
  $username = "root";
  $password = "";
  $databasename = "anime";
  $conn = mysqli_connect("$server", "$username", "$password", "$databasename");

  function query($query) {
    global $conn;
    $result = mysqli_query($conn, $query);
    $rows = [];
    while( $row = mysqli_fetch_assoc($result) ) {
    $rows[] = $row;
    }
    return $rows;

  }
Variel
  • 1
  • 1
  • 1
    use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Cid Jul 09 '20 at 09:41
  • 4
    mysqli_real_escape_string is basically obsolete really. Although it can help, it's verbose, there are edge cases where it can be defeated, and it can still allow unexpected syntax issues if not used correctly / consistently. https://phpdelusions.net/mysqli contains good examples of writing safe SQL with prepared statements and parameters, using mysqli. Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped input values. – ADyson Jul 09 '20 at 09:42
  • Another duplicate https://stackoverflow.com/questions/4771984/are-dynamic-mysql-queries-with-sql-escaping-just-as-secure-as-prepared-statements – Cid Jul 09 '20 at 09:45
  • can I use it for Other features that use form too? – Variel Jul 09 '20 at 09:53
  • 1
    A hopefully useful tip: there're tons of surprisingly outdated or outright terrible PHP tutorials out there. Learning with one of them will make the whole experience more miserable than it needs to. If your tutorial doesn't use prepared statements and bind parameters, it's a clear sign that it isn't good. – Álvaro González Jul 09 '20 at 10:23
  • @Variel you should use prepared statements and parameters for **any** SQL query which has any kind of external input into it, regardless of where the data has come from (whether it's a form or any other incoming data). – ADyson Jul 09 '20 at 10:42
  • Even data that came out of your own database! Just use query parameters. – Bill Karwin Jul 09 '20 at 14:45

0 Answers0