SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Guru ripcurlksm's Avatar
    Join Date
    Aug 2004
    Location
    San Clemente, CA
    Posts
    857
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this a proper way to protect against mysql injection

    How does this look? I am escaping the GET data before the SQL query and I am stripping the slashes for the display search word so it looks just as the user typed it:

    PHP Code:
    <?php
    dbConnect
    ();
    $original_search_word $_GET['search'];
    $search_word =  mysql_real_escape_string($original_search_word);

    ?>
        <form name='search' method='get' action='".$_SERVER['PHP_SELF']."'>
        <input name='search' id='search'/>
        <input type='submit' value='Search' name='submit'/>
        </form>
        
    <?php    
    if(array_key_exists("submit"$_GET)){
        
        echo 
    "Your search for: <strong>".stripslashes($original_search_word)."</strong><p>
        
        <ol>
        "
    ;
        
        
        
    $sql 'SELECT * FROM table WHERE name LIKE "%'.$search_word.'%"';
        
    $result mysql_query($sql) or die(mysql_error());
        
    $num mysql_num_rows($result);    

        while(
    $row mysql_fetch_assoc($result)){
            
            
    $name $row['name'];
            echo 
    "<li>$name</li>";
        
        }
        echo 
    "</ol>";


    ?>

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If magic quotes are enabled, you need to strip slashes before mysql_real_escape_string. Otherwise you get double escaping for any quotes in the data (I think!). Anyways, you need to get rid of that horror that magic quotes is asap, before handling data.

    For portability you can use get_magic_quotes_gpc:
    PHP Code:
    if(get_magic_quotes_gpc()==1){
        
    $original_search_word=stripslashes($_GET['search']);
    } else {
        
    $original_search_word=$_GET['search'];

    Other than that, it's fine.

  3. #3
    SitePoint Guru ripcurlksm's Avatar
    Join Date
    Aug 2004
    Location
    San Clemente, CA
    Posts
    857
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks, yea magic quotes are off


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •