Jump to content

Security for search form - what else should I do?


webref.eu

Recommended Posts

Hi All

 

I have a free text field where users can enter a search term for my database, here's some of the code, my question is what else should I be doing to make the script secure? 

 

Getting the search query:

 

$SearchQueryText = @$_GET['SearchQueryText'] ;
  //make safe for database
  $SearchQueryText = makeSQLSafe($SearchQueryText);
  $trimmed = trim($SearchQueryText); //trim whitespace from the stored variable

 

The makeSQLSafe function:

 

function makeSQLSafe($str)
{
    // check the status of magic_quotes_gpc, if it this returns true 
    // we remove the escaped characters. Allowing for the real escaping 
    // to be done via mysql_real_escape_string
    if(get_magic_quotes_gpc())
    {
        // remove the slashes.
        $str = stripslashes($str);
    }

        $str = mysql_real_escape_string($str);

    return $str;
}

 

... and the Sql query for the MySQL database:

 

$query = "SELECT * FROM Products where ProductName LIKE '%$trimmed%' or ProductBrand LIKE '%$trimmed%' or ProductDesc LIKE '%$trimmed%' ORDER BY ProductName";

 

Thanks for your comments.  8)

 

Rgds

 

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.