siric Posted May 18, 2010 Share Posted May 18, 2010 Hi, I am doing a search on a table with a string that will be submitted by a user and want to prevent sql injection and am using mysql_real_escape_string. The thing is that my search is a wildcard search $search = mysql_real_escape_string($contains); $search = "%".$search."%"; If attempts an injection, the $search string equates to '%%', when then returns results for the entire table. Even if I add if ($calysponiansearch == '%%') { $calypsoniansearch = "%a"; } that does not work as the escaped characters are there but not displayed. How can I prevent this? Thanks Steve Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/ Share on other sites More sharing options...
Mchl Posted May 18, 2010 Share Posted May 18, 2010 That has nothing to do with injection. Unless passing an empty string can be considered an injection... $search = mysql_real_escape_string($contains); if(!empty($search)) { $search = "%$search%"; } Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/#findComment-1059905 Share on other sites More sharing options...
siric Posted May 18, 2010 Author Share Posted May 18, 2010 That has nothing to do with injection. Unless passing an empty string can be considered an injection... If I pass "" OR 1 in the $contains variable, I end up with $searchstring being equal to %% which then displays everything in the table. Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/#findComment-1059981 Share on other sites More sharing options...
Mchl Posted May 18, 2010 Share Posted May 18, 2010 If I pass "" OR 1 in the $contains variable, I end up with $searchstring being equal to %% which then displays everything in the table. Did you ever check it? mysql_connect('localhost','root',''); $contains = '"" OR 1'; $search = mysql_real_escape_string($contains); $search = "%".$search."%"; echo $search; %\"\" OR 1% Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/#findComment-1060018 Share on other sites More sharing options...
siric Posted May 18, 2010 Author Share Posted May 18, 2010 Hi, Problem was a misspelling on the variable that I assigned when I did the mysql_real_escape_strring :-\ Working too late at night!! Thanks for the help. Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/#findComment-1060051 Share on other sites More sharing options...
Mchl Posted May 18, 2010 Share Posted May 18, 2010 Happens. That's why E_NOTICE error level is so useful Link to comment https://forums.phpfreaks.com/topic/202109-sql-injection-prevention-and-wildcards/#findComment-1060091 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.