Secure Search Box

[Snatch]

Hi,

 

I've implemented a search box in my site for users to search for products using the following code:

 

//Get the word submitted by the form 
$searchTitle = $_GET["search"]; 
if (!empty($searchTitle)) 
{ 
print "  Looking for products containing $searchTitle <br><br/>"; 

//Get the order method if one has been passed to this page 
$order = $_GET["order"]; 

// create query  - This query combines data from the film table and the director table 
$query = "SELECT * FROM products WHERE name like '%$searchTitle%' or brand like '%$searchTitle%'";

//Use the ordering if an order has been passed 
if (!$order=="") 
{ 
  $query = $query." order by $order "; 
} 

//print $query; 
// execute query 
$result = mysql_query($query) or die ("Error in query"); 

// see if any rows were returned 
if (mysql_num_rows($result)>0) { 
echo "<div id=sortactions>". 
             "Order results by: ". 
		 "<a href='search.php?search=$searchTitle&order=name'>Name / </a>". 
             "<a href='search.php?search=$searchTitle&order=price'>Price</a></div>";  


    while ($row = @ mysql_fetch_array($result)) { 
    //while($row = mysql_fetch_row($result)) { 
         echo "<div id=browsestyle><table width=80% border=0>" .
  				"<tr>" .
   				"<td width=10% valign=top rowspan=9><span id=imgpad><img src=".$row["image"]." height=50 width=50 /></span></td></tr>" .
   				"<tr><td width=25% valign=top><strong>Brand: </strong></td><td width=75% valign=top>". $row["brand"] ."</td></tr>" .
			"<tr><td width=25% valign=top><strong>Name: </strong></td><td width=75% valign=top><a href = 'getprod.php?prodid=" . $row["id"] ."'>". $row["name"] ."</a></td></tr>" .
			"<tr><td width=25% valign=top><strong>Price: </strong></td><td width=65% valign=top>" . $row["price"] . "</td></tr>" .
			"</table></div>" ;
    } 
} 

else { 
       // print status message 
    echo "No Results Found!"; 
} 

// free result set memory 
mysql_free_result($result); 

// close connection 
mysql_close($conn); 
} 

 

I've been told this isn't secure. I'm guessing I need something like strip tags in the code? Please could someone suggest what needs to be done to make it secure an if possible point me to an example?

 

Mucho gracias!

[Snatch]

Ok I think I've sussed strip tags, I did this and it seems to be working:

 

//Get the word submitted by the form 
$searchTitle = $_GET["search"];
$searchTitle = strip_tags($searchTitle); // strip tags

if (!empty($searchTitle)) 
{ 
print "  Looking for products containing $searchTitle <br><br/>"; 

//Get the order method if one has been passed to this page 
$order = $_GET["order"]; 

// create query  - This query combines data from the film table and the director table 
$query = "SELECT * FROM products WHERE name like '%$searchTitle%' or brand like '%$searchTitle%'";

//Use the ordering if an order has been passed 
if (!$order=="") 
{ 
  $query = $query." order by $order "; 
} 

//print $query; 
// execute query 
$result = mysql_query($query) or die ("Error in query"); 

// see if any rows were returned 
if (mysql_num_rows($result)>0) { 
echo "<div id=sortactions>". 

 

Is there anything else I should do to make it secure?

[redarrow]

lookup regex regular exspressions

[Snatch]

Thanks redarrow, my code now looks like this:

 

//Get the word submitted by the form 
$searchTitle = $_GET["search"];
$searchTitle = strip_tags($searchTitle); //strip tags
$searchTitle = preg_replace("/[^a-zA-Z0-9\s]+/", "", $searchTitle); // Regex, only allow alphanumeric

 

Again, it seems to be working. Any other suggestions, or is there a more efficient way to write the code?

[redarrow]

yep your gets need more

 

 

example setting a condition to get

 

<?php

if($_GET['whatever']=="whatever"){

//set the get......

}else{

//go away 
}
?>