0

I have created a PHP and SQLi based search system. It is very basic and works how all of the ones I have found have. I just have one question. Can a very mean and angry person SQL inject my search system. The search is submitted through an HTML form in POST.

Search System Code

...

require 'includes/dbh.inc.php';

$search = $_POST['search'];

$mysqli = $conn;

$query = "SELECT * FROM listings WHERE listing_name LIKE '%".$search."%'";
echo '<b> <center class="listingstitle">Listings</center> </b> <br> <br>';


if ($result = $mysqli->query($query) and mysqli_num_rows($result) > 0) {

    while ($row = $result->fetch_assoc()) {
        $price = $row["listing_price"];
        $name = $row["listing_name"];
        $seller = $row["listing_seller"];
        $picture = $row["listing_picture"];

...
xav
  • 29
  • 5
  • 2
    Your code *is* obviously vulnerable. Use a prepared statement rather than concatenating user input in the query string. – GMB Oct 25 '20 at 21:46
  • 1
    You’re not validating your input, so my guess is “Yes, this query is vulnerable to injection.” – Timothy Brackett Oct 25 '20 at 21:46
  • Yes, this code is extremely vulnerable. See here how to do it properly https://stackoverflow.com/questions/28385145/correct-way-to-use-like-var-with-prepared-statements-mysqli – Dharman Oct 25 '20 at 22:27

0 Answers0