eugene2009 Posted December 10, 2009 Share Posted December 10, 2009 I do not want anything like DROP TABLE to work or any type of coding.. Heres my code.. is it secure? if not, please help: <?php mysql_connect('','',''); mysql_select_db('cars'); if(preg_match("/^[ a-zA-Z 0-9 &]+/", $_POST['q'])){ $q = $_POST['q']; $q = addslashes(mysql_real_escape_string($q)); $result = mysql_query("SELECT * FROM parts WHERE MATCH (`category`,`name`,`description`) AGAINST ('$q' IN BOOLEAN MODE)"); $num_results = mysql_num_rows($result); echo 'Found '.$num_results.' parts matching '.$q.'.'; if($num_results>0) { $row['name'] = stripslashes(stripslashes($row['name'])); $row['description'] = stripslashes(stripslashes($row['description'])); echo '<p>'.$row['name'].'</a><br><img src="'.$row['thumbnailurl'].'"><br />'.$row['description'].'<br />'.$row['date'].'</p>'; } } else { echo '<p>Their were 0 results for '.$q.'! Try again?</p>'; } } else { echo '<p>TEXT ONLY PLEASE</p>'; } ?> Quote Link to comment Share on other sites More sharing options...
trq Posted December 10, 2009 Share Posted December 10, 2009 This line.... $q = addslashes(mysql_real_escape_string($q)); will corrupt your data. You should be using stripslashes and even then, only if magic quotes are enabled. Prevention of calls to drop table and the like should be done at the mysql permissions level. Quote Link to comment Share on other sites More sharing options...
eugene2009 Posted December 10, 2009 Author Share Posted December 10, 2009 What do you mean it will corrupt the data? the search engine works fine. Sorry I'm just kind if new to mysql Quote Link to comment Share on other sites More sharing options...
trq Posted December 10, 2009 Share Posted December 10, 2009 Your adding slashes, then adding more with mysql_real_escape_string(). Notice how you need to use stripslashes twice when pulling data from the database? This is because you have managed to store slashes along with your data (hence corrupting it) in the database. Quote Link to comment Share on other sites More sharing options...
eugene2009 Posted December 10, 2009 Author Share Posted December 10, 2009 Oooops. No this has nothing to do with adding data tho.. I created this page to search through the data base.. So it will be the same. I uses a tutorial I found on google and modified it.. So all is fine about that. I'm just worried about the mysql injection Quote Link to comment Share on other sites More sharing options...
trq Posted December 10, 2009 Share Posted December 10, 2009 I created this page to search through the data base.. Yeah, sorry, I just noticed that. Even so, with extra slashes in there your search results will be incorrect. mysql_real_escape_string is sufficient. Quote Link to comment Share on other sites More sharing options...
Mchl Posted December 10, 2009 Share Posted December 10, 2009 You probably need to remove all unnecessary slashes from your database now. When stored properly, data does not need stripslashes at all when retrieving from database. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 10, 2009 Share Posted December 10, 2009 Prevention of calls to drop table and the like should be done at the mysql permissions level. to expand on that (for the OP), since this is something that i highly doubt the majority of people exercise. you are able to set the permissions on a db from within your phpMyAdmin on a specific user. once out of development and your site goes into live status, deny permissions to that db user on actions such as DROP, ALTER, etc. then, those actions cannot be executed against that db regardless of what injection these hackers dudes post. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.