Search engine, how to? Pre-coded Script?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
smudda
Forum Newbie
Posts: 3
Joined: Sat Sep 10, 2005 4:39 am

Search engine, how to? Pre-coded Script?

Post by smudda »

hello everyone,

i have a database with a table and like 10 rows (id, user, bio, age, sex, hobbies ..) and i would like to create a search on this for my site.

search queries should look like domain.com/search.php?sex=male, domain.com/search.php?age=19 and domain.com/search.php?hobbies=swimming

it should then spit out all the users with like hobbie "swimming" or age "19".

does anyone know if there is a pre-coded script for stuff like that?
i already tried Google but most of the scripts/tutorials didn't fit my needs.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

8O it isn't all that hard to write your own for this.. we can discuss how, but you get to do the work. ;)
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

its not really worth searching for this normal search on google

this should be your answer.

now here you assume in search.php?field_name=field_value
field_name url variable can be age, sex....
field_value will be the value of the field_name

Code: Select all

list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

warning: that is a massive security hole. :)
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

$ corrected

Post by raghavan20 »

hope this would counter sql injection.
it was a bit complex as we dont know the field_name and the format/type of field_value

Code: Select all

<?php
//you should be knowing all the fields on which you are going to make a search; write them below
$fields = array('field1', 'field2', 'field3', 'field4');
$sqlKeywords = array('insert', 'select', 'alter', 'drop', 'delete');
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
//if the search field is an item of the array defined above
$valid = 1; //initially the value is assumed to clean
if (in_array($field_name, $fields)){
	//search for sql keywords in the field_value
	for ($i = 0; $i < count($sqlKeywords); $i++){
		if (strstr($field_value, $sqlKeywords[$i])){
			$valid = 0; //set the value as unclean containing possible sql injection keywords
		}
	}
	if (valid == 0){
		echo "Suspected sql injection!!!";
	}else{
		$query = "select * from `table_name` where `$field_name` = '$field_value'";
		echo $query;
	}
}else{
	echo "Suspected sql injection!!!";
}
?>
Last edited by raghavan20 on Sat Sep 10, 2005 9:01 am, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

missing a $ in front of a field_value ;)

and it could still allow SQL injection, just of more benign things (in this particular case)
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

can you give an example query which can break the above code???
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

since you're not "fixing" magic quotes, any query with apostrophes in it could jump out of the value component. If that's possible, I could potentially inject a union that'd grab the whole user's table, likely getting their passwords and other "confidential" information.

Your filtering also could easily create false positives because a string of 'insert' is perfectly valid. ;)
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

pls give me an example, i could not think of a query from your post.
i want to understand this better so that i can make more secure scripts.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. turn off magic quotes.
  2. query the page with something like foo.php?age=6'+UNION+SELECT+*+FROM+`someOtherTable`+WHERE+'1
Post Reply