robert_gsfame Posted March 12, 2011 Share Posted March 12, 2011 I have a search button to help user searching text they are looking. and i use $_GET to pass the value and get it into my query so it simply like this when value was passed into the URL page.php?search=text the problem is that when i try to modify a bit like this page.php?search=">test although i don't get any problem with the query (ERROR) as i've replaced all special characters with blank string, but i always have this test" /> text appear on my page.. what should i do to avoid this?? if they can do whatever they want, it means there is a space for attacker to inject bad codes thanks in advance Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 12, 2011 Share Posted March 12, 2011 Please post all of the script between tags. Ken Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 so let say i am looking for some the word "hello" i use javascript to pass it to url and i will have this mypage.php?search=hello then when i try to modify the url and make it this way mypage.php?search=">test i have this text appear on my page test" /> what to do?? Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 12, 2011 Share Posted March 12, 2011 You're not making any sense. Please post your code. Ken Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 javascript part function searchtext() { var searchtext=document.getElementById("searchtext").value; if(searchtext=="") { alert("Please type what you are looking!"); } else { window.location.href="mypage.php?search="+escape(searchtext.replace(/ /g,'+')); } } php & html code if(!empty($_GET['search'])) { $replacethis=array("%","|","*","(",")","?","`","'","^","\\","[","]",":",";",",","_","<",">","\"","{","}","/"); $replaceby=array("","","","","","","","","","","","","","","","","","","","","",""); $search1=str_replace($replacethis,$replaceby,trim($_GET['search'])); $search2=explode(" ",urldecode($search1)); $totalsearch=""; for($i=0;$i<count($search2);$i++) { $totalsearch=$totalsearch." name REGEXP '[[:<:]]".htmlspecialchars($search2[$i])."[[:>:]]'=1 OR"; } $totalsearch2=" AND(".substr($totalsearch,0,strlen($totalsearch)-3).")"; $q=$totalsearch2; } else { $q=""; } <form name="form1"> <input type="text" id="searchtext"> <input type="button" value="Search" onclick="javascript:searchtext()"> </form> no error appear only text appear Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted March 12, 2011 Author Share Posted March 12, 2011 okay i got now...there is a hidden text something that made this happen..thanks how can i mark as solved??? where is the button?? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.