[SOLVED] php coding exposed to risks

[h4r00n]

Hi, below is my coding for my search.php. I am aware that it is exposed to risks, I am new to PHP and was hoping that somebody could help me with the coding to reduce these risks?

 

Thanks

 

<?php

//get data
$button = (isset($_GET['submit'])) ? $_GET['submit'] : "default_value";
$search = (isset($_GET['search'])) ? $_GET['search'] : "default_value";

if (!$button)
{
   echo "You didn't submit a keyword.";
}
else
{
   if (strlen($search)<=2)
   {
      echo "Search term too short.";
   }
   else
   {
      echo "You searched for <b>$search</b><hr size='1'>";
      //connect to our database
      mysql_connect("localhost","root","");
      mysql_select_db("jobjar");
      //explode our search term
      $search_exploded = explode(" ",$search);

      foreach($search_exploded as $search_each)
      {
         //construct query
	 $x = 0;
$construct = "";
         $x++;
         if ($x==1)            
         {
            $construct .= " Keywords LIKE '%$search_each%'";
         }
         else
         {
            $construct .= " OR Keywords LIKE '%$search_each%'";
         }
      }
   
      //echo out construct
      $construct = "SELECT * FROM jobs WHERE $construct";
      $run = mysql_query($construct);
      $foundnum = mysql_num_rows($run);

      if ($foundnum==0)
      {
         echo "No jobs found.";
      }
      else
      {
         echo "$foundnum found!<p><br>";
   
         while ($runrows = mysql_fetch_assoc($run))
         {
            //get data
            $Title = $runrows['Title'];
            $Location = $runrows['Location'];
            $Salary = $runrows['Salary'];
            $Sector = $runrows['Sector'];
            $JobType = $runrows['Job Type'];
            $Duration = $runrows['Duration'];
            $JobRef = $runrows['Job Ref'];
            $Description = $runrows['Description'];
      
            echo "<b>Title:</b> $Title<br> 
            <b>Location:</b> $Location<br> 
            <b>Salary:</b> $Salary<br>
            <b>Sector:</b> $Sector<br>
            <b>Job Type:</b> $JobType<br>
            <b>Duration:</b> $Duration<br>
            <b>Job Ref:</b> $JobRef<br>
            <b>Description:</b> $Description<p><br>";
         }
      }
   }
}


?>

[Asheeown]

First of all make a designated mysql user for that project/database you are using.  I am assuming though for now you're using root for development purposes.

 

Use "mysql_real_escape_string($Variable);" for all the variables that come from user input.

 

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

[ignace]

if (!$button) is never true because it's either the value of $_GET['submit'] or the default_value. Use instead:

 

$button = (isset($_GET['submit'])) ? $_GET['submit'] : null;

 

To secure your application validate the input apply what you know for example if search may only contain alphabetic characters use:

 

if (!ctype_alpha($search)) {//invalid does contain characters not found in the alphabet

 

Search must contain a certain length?

 

if (!isset($search[5])) {//invalid must be atleast 6 characters long (strings are zero-based if you wonder why 5)

[h4r00n]

First of all make a designated mysql user for that project/database you are using.  I am assuming though for now you're using root for development purposes.

 

Use "mysql_real_escape_string($Variable);" for all the variables that come from user input.

 

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

 

So where would I insert that code?

[Asheeown]

<?php

//get data
$button = (isset($_GET['submit'])) ? $_GET['submit'] : "default_value";
$search = (isset($_GET['search'])) ? $_GET['search'] : "default_value";

if (!$button)
{
   echo "You didn't submit a keyword.";
}
else
{
   if (strlen($search)<=2)
   {
      echo "Search term too short.";
   }
   else
   {
      echo "You searched for <b>$search</b><hr size='1'>";
      //connect to our database
      mysql_connect("localhost","root","");
      mysql_select_db("jobjar");
      
      $button = mysql_real_escape_string($button);
      $search = mysql_real_escape_string($search);


      //explode our search term
      $search_exploded = explode(" ",$search);

      foreach($search_exploded as $search_each)
      {
         //construct query
       $x = 0;
$construct = "";
         $x++;
         if ($x==1)            
         {
            $construct .= " Keywords LIKE '%$search_each%'";
         }
         else
         {
            $construct .= " OR Keywords LIKE '%$search_each%'";
         }
      }
   
      //echo out construct
      $construct = "SELECT * FROM jobs WHERE $construct";
      $run = mysql_query($construct);
      $foundnum = mysql_num_rows($run);

      if ($foundnum==0)
      {
         echo "No jobs found.";
      }
      else
      {
         echo "$foundnum found!<p><br>";
   
         while ($runrows = mysql_fetch_assoc($run))
         {
            //get data
            $Title = $runrows['Title'];
            $Location = $runrows['Location'];
            $Salary = $runrows['Salary'];
            $Sector = $runrows['Sector'];
            $JobType = $runrows['Job Type'];
            $Duration = $runrows['Duration'];
            $JobRef = $runrows['Job Ref'];
            $Description = $runrows['Description'];
      
            echo "<b>Title:</b> $Title<br> 
            <b>Location:</b> $Location<br> 
            <b>Salary:</b> $Salary<br>
            <b>Sector:</b> $Sector<br>
            <b>Job Type:</b> $JobType<br>
            <b>Duration:</b> $Duration<br>
            <b>Job Ref:</b> $JobRef<br>
            <b>Description:</b> $Description<p><br>";
         }
      }
   }
}
?>

 

As far as I see by glancing at it, only $button and $search are from GET so I did it right under the mysql connect.

[h4r00n]

Thanks.  I will create a password protected user when this goes online, just trial mode at the moment

[Asheeown]

Make sure you give root a nice bulky password too