Jump to content

Boolean searches and sql injection.

rcorlew

By rcorlew
in MySQL Help

 Share

Recommended Posts

rcorlew Member

rcorlew

Posted
Posted

Currently I am using mysql_real_escape_string help stop sql injection, but I am running a boolean search that explodes the input into an array. Each space separated item/word  is an item in the array, and then it is queried with the following code:

 

<?php
$query = "SELECT id, title, location, page_text, MATCH(title,page_text) AGAINST('+$expanded[0] ~$expanded[1] ~$expanded[2] ~$expanded[3]' IN BOOLEAN MODE) AS score FROM pages WHERE MATCH (title,page_text) AGAINST ('+$expanded[0] ~$expanded[1] ~$expanded[2] ~$expanded[3]' IN BOOLEAN MODE)  ORDER BY score DESC";
?>

 

My question is this, isn't the boolean search itself removed from the threat of sql inection with out having to escape anything?

Link to comment
Share on other sites
rcorlew Member

rcorlew

Posted
  • Author
Posted

That is what I was thinking, so I added the escape string to start off with, I just wish I could figure out how to not escape things like 's  and 't , which are things which would be searched for on this site for example ..

 

Crohn’s disease

 

I am sure that I can add that to the real-escape_string parameters like many other thinks like string functions.

Link to comment
Share on other sites
  • 2 weeks later...
fenway Advanced Member

fenway

Posted
Posted

That is what I was thinking, so I added the escape string to start off with, I just wish I could figure out how to not escape things like 's  and 't , which are things which would be searched for on this site for example ..

 

Crohn’s disease

 

I am sure that I can add that to the real-escape_string parameters like many other thinks like string functions.

 

I don't understand... how is escaping a problem for you?

Link to comment
Share on other sites
rcorlew Member

rcorlew

Posted
  • Author
Posted

It's not a problem except for the fact that my new web host has some rather odd security features in place.

 

For instance:

 

If you post an apostrophe into sql it turns it into this ’, I have written a function to replace all forms of characters so I should not face this again.

 

I am about to drop this web host, they have some insane security features that inherently make sites less secure, so I am on the lookout.

 

But that is for another topic anyway.

Link to comment
Share on other sites
fenway Advanced Member

fenway

Posted
Posted

If you post an apostrophe into sql it turns it into this ’, I have written a function to replace all forms of characters so I should not face this again.

 

Sounds like a fancy quote from Word or some other rich-text program.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.