Search engine, how to? Pre-coded Script?
Moderator: General Moderators
Search engine, how to? Pre-coded Script?
hello everyone,
i have a database with a table and like 10 rows (id, user, bio, age, sex, hobbies ..) and i would like to create a search on this for my site.
search queries should look like domain.com/search.php?sex=male, domain.com/search.php?age=19 and domain.com/search.php?hobbies=swimming
it should then spit out all the users with like hobbie "swimming" or age "19".
does anyone know if there is a pre-coded script for stuff like that?
i already tried Google but most of the scripts/tutorials didn't fit my needs.
i have a database with a table and like 10 rows (id, user, bio, age, sex, hobbies ..) and i would like to create a search on this for my site.
search queries should look like domain.com/search.php?sex=male, domain.com/search.php?age=19 and domain.com/search.php?hobbies=swimming
it should then spit out all the users with like hobbie "swimming" or age "19".
does anyone know if there is a pre-coded script for stuff like that?
i already tried Google but most of the scripts/tutorials didn't fit my needs.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
its not really worth searching for this normal search on google
this should be your answer.
now here you assume in search.php?field_name=field_value
field_name url variable can be age, sex....
field_value will be the value of the field_name
this should be your answer.
now here you assume in search.php?field_name=field_value
field_name url variable can be age, sex....
field_value will be the value of the field_name
Code: Select all
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
$ corrected
hope this would counter sql injection.
it was a bit complex as we dont know the field_name and the format/type of field_value
it was a bit complex as we dont know the field_name and the format/type of field_value
Code: Select all
<?php
//you should be knowing all the fields on which you are going to make a search; write them below
$fields = array('field1', 'field2', 'field3', 'field4');
$sqlKeywords = array('insert', 'select', 'alter', 'drop', 'delete');
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
//if the search field is an item of the array defined above
$valid = 1; //initially the value is assumed to clean
if (in_array($field_name, $fields)){
//search for sql keywords in the field_value
for ($i = 0; $i < count($sqlKeywords); $i++){
if (strstr($field_value, $sqlKeywords[$i])){
$valid = 0; //set the value as unclean containing possible sql injection keywords
}
}
if (valid == 0){
echo "Suspected sql injection!!!";
}else{
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;
}
}else{
echo "Suspected sql injection!!!";
}
?>
Last edited by raghavan20 on Sat Sep 10, 2005 9:01 am, edited 2 times in total.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
since you're not "fixing" magic quotes, any query with apostrophes in it could jump out of the value component. If that's possible, I could potentially inject a union that'd grab the whole user's table, likely getting their passwords and other "confidential" information.
Your filtering also could easily create false positives because a string of 'insert' is perfectly valid.
Your filtering also could easily create false positives because a string of 'insert' is perfectly valid.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact: