Is this a proper way to protect against mysql injection

**ripcurlksm** · Mar 5, 2009 17:23

How does this look? I am escaping the GET data before the SQL query and I am stripping the slashes for the display search word so it looks just as the user typed it:

PHP Code:


<?php

dbConnect();

$original_search_word = $_GET['search'];

$search_word =  mysql_real_escape_string($original_search_word);



?>

    <form name='search' method='get' action='".$_SERVER['PHP_SELF']."'>

    <input name='search' id='search'/>

    <input type='submit' value='Search' name='submit'/>

    </form>

    

<?php    

if(array_key_exists("submit", $_GET)){

    

    echo "Your search for: <strong>".stripslashes($original_search_word)."</strong><p>

    

    <ol>

    ";

    

    

    $sql = 'SELECT * FROM table WHERE name LIKE "%'.$search_word.'%"';

    $result = mysql_query($sql) or die(mysql_error());

    $num = mysql_num_rows($result);    



    while($row = mysql_fetch_assoc($result)){

        

        $name = $row['name'];

        echo "<li>$name</li>";

    

    }

    echo "</ol>";

} 



?>

**php_daemon** · Mar 5, 2009 17:38

If magic quotes are enabled, you need to strip slashes before mysql_real_escape_string. Otherwise you get double escaping for any quotes in the data (I think!). Anyways, you need to get rid of that horror that magic quotes is asap, before handling data.

For portability you can use get_magic_quotes_gpc:

PHP Code:


if(get_magic_quotes_gpc()==1){

    $original_search_word=stripslashes($_GET['search']);

} else {

    $original_search_word=$_GET['search'];

}

Other than that, it's fine.

**ripcurlksm** · Mar 5, 2009 18:00

thanks, yea magic quotes are off

User Tag List

Thread: Is this a proper way to protect against mysql injection

Thread Tools

Display

Is this a proper way to protect against mysql injection

Bookmarks

Bookmarks

Posting Permissions