rcorlew Posted June 30, 2007 Share Posted June 30, 2007 Currently I am using mysql_real_escape_string help stop sql injection, but I am running a boolean search that explodes the input into an array. Each space separated item/word is an item in the array, and then it is queried with the following code: <?php $query = "SELECT id, title, location, page_text, MATCH(title,page_text) AGAINST('+$expanded[0] ~$expanded[1] ~$expanded[2] ~$expanded[3]' IN BOOLEAN MODE) AS score FROM pages WHERE MATCH (title,page_text) AGAINST ('+$expanded[0] ~$expanded[1] ~$expanded[2] ~$expanded[3]' IN BOOLEAN MODE) ORDER BY score DESC"; ?> My question is this, isn't the boolean search itself removed from the threat of sql inection with out having to escape anything? Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/ Share on other sites More sharing options...
fenway Posted July 1, 2007 Share Posted July 1, 2007 No.... everything is at risk Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/#findComment-287039 Share on other sites More sharing options...
rcorlew Posted July 1, 2007 Author Share Posted July 1, 2007 That is what I was thinking, so I added the escape string to start off with, I just wish I could figure out how to not escape things like 's and 't , which are things which would be searched for on this site for example .. Crohn’s disease I am sure that I can add that to the real-escape_string parameters like many other thinks like string functions. Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/#findComment-287043 Share on other sites More sharing options...
fenway Posted July 10, 2007 Share Posted July 10, 2007 That is what I was thinking, so I added the escape string to start off with, I just wish I could figure out how to not escape things like 's and 't , which are things which would be searched for on this site for example .. Crohn’s disease I am sure that I can add that to the real-escape_string parameters like many other thinks like string functions. I don't understand... how is escaping a problem for you? Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/#findComment-294597 Share on other sites More sharing options...
rcorlew Posted July 10, 2007 Author Share Posted July 10, 2007 It's not a problem except for the fact that my new web host has some rather odd security features in place. For instance: If you post an apostrophe into sql it turns it into this ’, I have written a function to replace all forms of characters so I should not face this again. I am about to drop this web host, they have some insane security features that inherently make sites less secure, so I am on the lookout. But that is for another topic anyway. Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/#findComment-294759 Share on other sites More sharing options...
fenway Posted July 11, 2007 Share Posted July 11, 2007 If you post an apostrophe into sql it turns it into this ’, I have written a function to replace all forms of characters so I should not face this again. Sounds like a fancy quote from Word or some other rich-text program. Quote Link to comment https://forums.phpfreaks.com/topic/57839-boolean-searches-and-sql-injection/#findComment-295392 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.