Jump to content

SQL Injection prevention and wildcards

siric

By siric
in MySQL Help

 Share

Recommended Posts

siric Member

siric

Posted
Posted

Hi,

 

I am doing a search on a table with a string that will be submitted by a user and want to prevent sql injection and am using mysql_real_escape_string.

 

The thing is that my search is a wildcard search

 

$search = mysql_real_escape_string($contains);
$search = "%".$search."%";

 

If attempts an injection, the $search string equates to '%%', when then returns results for the entire table.

 

Even if I add

if ($calysponiansearch == '%%') {
      $calypsoniansearch = "%a";
}

 

that does not work as the escaped characters are there but not displayed.

 

 

How can I prevent this?

 

Thanks

 

Steve

 

 

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

That has nothing to do with injection. Unless passing an empty string can be considered an injection...

 

$search = mysql_real_escape_string($contains);
if(!empty($search)) {
  $search = "%$search%";
}

Link to comment
Share on other sites
siric Member

siric

Posted
  • Author
Posted

That has nothing to do with injection. Unless passing an empty string can be considered an injection...

 

If I pass 

"" OR 1

in the $contains variable, I end up with $searchstring being equal to %% which then displays everything in the table.

 

 

 

 

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

If I pass 

"" OR 1

in the $contains variable, I end up with $searchstring being equal to %% which then displays everything in the table.

 

Did you ever check it?

 

mysql_connect('localhost','root','');

$contains = '"" OR 1';
$search = mysql_real_escape_string($contains);
$search = "%".$search."%";
echo $search;

 

%\"\" OR 1%
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.