robert_gsfame Posted March 12, 2011 Share Posted March 12, 2011 I have a search button to help user searching text they are looking. and i use $_GET to pass the value and get it into my query so it simply like this when value was passed into the URL page.php?search=text the problem is that when i try to modify a bit like this page.php?search=">test although i don't get any problem with the query (ERROR) as i've replaced all special characters with blank string, but i always have this test" /> text appear on my page.. what should i do to avoid this?? if they can do whatever they want, it means there is a space for attacker to inject bad codes thanks in advance Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/ Share on other sites More sharing options...
kenrbnsn Posted March 12, 2011 Share Posted March 12, 2011 Please post all of the script between tags. Ken Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/#findComment-1186521 Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 so let say i am looking for some the word "hello" i use javascript to pass it to url and i will have this mypage.php?search=hello then when i try to modify the url and make it this way mypage.php?search=">test i have this text appear on my page test" /> what to do?? Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/#findComment-1186522 Share on other sites More sharing options...
kenrbnsn Posted March 12, 2011 Share Posted March 12, 2011 You're not making any sense. Please post your code. Ken Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/#findComment-1186526 Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 javascript part function searchtext() { var searchtext=document.getElementById("searchtext").value; if(searchtext=="") { alert("Please type what you are looking!"); } else { window.location.href="mypage.php?search="+escape(searchtext.replace(/ /g,'+')); } } php & html code if(!empty($_GET['search'])) { $replacethis=array("%","|","*","(",")","?","`","'","^","\\","[","]",":",";",",","_","<",">","\"","{","}","/"); $replaceby=array("","","","","","","","","","","","","","","","","","","","","",""); $search1=str_replace($replacethis,$replaceby,trim($_GET['search'])); $search2=explode(" ",urldecode($search1)); $totalsearch=""; for($i=0;$i<count($search2);$i++) { $totalsearch=$totalsearch." name REGEXP '[[:<:]]".htmlspecialchars($search2[$i])."[[:>:]]'=1 OR"; } $totalsearch2=" AND(".substr($totalsearch,0,strlen($totalsearch)-3).")"; $q=$totalsearch2; } else { $q=""; } <form name="form1"> <input type="text" id="searchtext"> <input type="button" value="Search" onclick="javascript:searchtext()"> </form> no error appear only text appear Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/#findComment-1186528 Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 okay i got now...there is a hidden text something that made this happen..thanks how can i mark as solved??? where is the button?? Link to comment https://forums.phpfreaks.com/topic/230400-help-with-this-small-question/#findComment-1186529 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.