SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2011
    Location
    Vancouver, BC
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sql injection prevention adequacy

    Hi guys, is the following enough to prevent sql injection? I've read other posts on the subject and it seems I've done enough. Thanks.

    PHP Code:
    <?php 
     
     
    if ($searching =="yes"
     { 
     echo 
    "<br><br><b>Search Results:</b><br><br>"
     
     if (
    $find == ""
     { 
     echo 
    "You forgot to enter a search term.<br><br>"
     exit; 
     } 

     
    //$find = strtoupper($find); 
     
    $find strip_tags($find); 
     
    $find trim ($find);
     
     
    $find mysql_real_escape_string($find); 
      
     
    $result mysql_query("SELECT * FROM customers WHERE industry='$industry' AND ( company LIKE'%{$find}%' OR email LIKE'%{$find}%' OR website LIKE'%{$find}%' ) ORDER BY company"); 

    if(
    mysql_num_rows($result)==0) {
        echo 
    'I am sorry your search for <span style="font-weight:bold;color:#336699;">'.$find.'</span> returned no results.<br><br>';
        } else {
        while (
    $row mysql_fetch_array($result)) {
          echo 
    '<span class="listing">' $row['company'] . '</span><br>';
          echo 
    'Phone: ' $row['phone'] . '<br>';
          echo 
    'Address: ' $row['street'] . '<br>';
          echo 
    'Email: <a href="mailto:'.$row['email'].'">' $row['email'] . '</a><br>';
          echo 
    'Website: <a href="http://'.$row['website'].'" target="_blank">' $row['website'] . '</a><br><br>';
          echo 
    $row['description'] . '<br><br><hr><br>';      
        }
    }

     }
    ?>

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,508
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    $find seems to be sanitized well enough

    What about $industry ?
    Code:
    WHERE industry='$industry'
    Where does it come from?

  3. #3
    SitePoint Guru
    Join Date
    Nov 2003
    Location
    Huntsville AL
    Posts
    698
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Which brings up what I think is a good point. If you use mysqli_prepare (or PDO) instead of mysql_query then the need for explicitly escaping every input goes away. One less thing to worry about.

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2011
    Location
    Vancouver, BC
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies guys. 'industry' comes from a drop down list. It isn't a input field. Should I do the same to the 'industry' value anyways?

  5. #5
    SitePoint Guru
    Join Date
    Nov 2003
    Location
    Huntsville AL
    Posts
    698
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ConTici View Post
    Thanks for the replies guys. 'industry' comes from a drop down list. It isn't a input field. Should I do the same to the 'industry' value anyways?
    Yep. Anything coming in from the outside worlds needs to be sanitized. It's trivial for someone to change the values of posted information. Of course if you use prepared statements then the problem goes away.

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Keep industry as an array.

    industries.php
    PHP Code:
    <?php
    $industries 
    = array('aviation','mining','drinking');
    then include that single array but use it to a) generate your droplist and b) act as a white-list when you filter the incoming $industry from your form.
    PHP Code:
    <?php
    include 'industries.php';

    // do stuff

    if( isset($industry) && !in_array$industry$industries)){
    // then $industry was set, but had been tampered with
    // log this user out or send away etc
    }

    // else carry on, $industry must be good ...
    Got to add a new industry? Add it in one place only.

  7. #7
    SitePoint Enthusiast
    Join Date
    Aug 2011
    Location
    Vancouver, BC
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's great! Thanks a lot guys.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •