webref.eu Posted June 19, 2009 Share Posted June 19, 2009 Hi All I have a free text field where users can enter a search term for my database, here's some of the code, my question is what else should I be doing to make the script secure? Getting the search query: $SearchQueryText = @$_GET['SearchQueryText'] ; //make safe for database $SearchQueryText = makeSQLSafe($SearchQueryText); $trimmed = trim($SearchQueryText); //trim whitespace from the stored variable The makeSQLSafe function: function makeSQLSafe($str) { // check the status of magic_quotes_gpc, if it this returns true // we remove the escaped characters. Allowing for the real escaping // to be done via mysql_real_escape_string if(get_magic_quotes_gpc()) { // remove the slashes. $str = stripslashes($str); } $str = mysql_real_escape_string($str); return $str; } ... and the Sql query for the MySQL database: $query = "SELECT * FROM Products where ProductName LIKE '%$trimmed%' or ProductBrand LIKE '%$trimmed%' or ProductDesc LIKE '%$trimmed%' ORDER BY ProductName"; Thanks for your comments. Rgds Link to comment https://forums.phpfreaks.com/topic/162931-security-for-search-form-what-else-should-i-do/ Share on other sites More sharing options...
webref.eu Posted June 19, 2009 Author Share Posted June 19, 2009 Would others agree with me that because I am using mysql_real_escape_string I don't need to do anything further to protect against SQL injection attacks? Thanks Link to comment https://forums.phpfreaks.com/topic/162931-security-for-search-form-what-else-should-i-do/#findComment-859710 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.