SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Making search in BOOLEAN MODE safe

    Hi everyone, I am creating a small search function in BOOLEAN MODE and it works fine.
    But I asked myself how to make the query string hack prove since it is on a public website.

    I read somewhere that for the querystring the only thing needed is to set mysql_set_charset() and mysql_real_escape_string enclosed in quotes.
    Is that a myth? What about special keywords does it need filtering?

  2. #2
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by PixelBoy View Post
    how to make the query string hack prove
    I meant to say hack proof... Always a tricky thing English

  3. #3
    SitePoint Addict tom8's Avatar
    Join Date
    Mar 2012
    Location
    New Jersey
    Posts
    310
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I too would like to know. Hope members here will comment.

  4. #4
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    72 Post(s)
    Tagged
    0 Thread(s)
    'hack proof'. Whenever i hear that phrase, I want to laugh. It's not a question of being hack-proof, but making it as difficult as possible.

    real_escape_string is a good first step. Filtering and sanitizing your data is better. What data do you need to take in?
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  5. #5
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am glad I made someone laugh today

    The data I need to take in is numerical, alphabetical and some latin characters (utf-8)
    and make it so that the user still can double quote for example "John Doe".

  6. #6
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok here an example of a search

    GET data input example 1 = "Stephen O'Reiley"
    GET data input example 2 = Marie-Élise
    GET data input example 3 = 0123456789

    Process search
    @mysql_set_charset('utf8', $db_connection);
    $query = mysql_real_escape_string($_GET['input']);
    $search= @mysql_query("SELECT * FROM articles WHERE MATCH (articlecode, name, description) AGAINST ('$query' IN BOOLEAN MODE) LIMIT 1, 5");

    Is this ok for safety or should I add more filters?

  7. #7
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Still struggling with the same question here... How about some keyword filtering? Such as 'AND OR *' Is that necessary and or a good solution?


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •