Page 1 of 1
Search engine, how to? Pre-coded Script?
Posted: Sat Sep 10, 2005 4:40 am
by smudda
hello everyone,
i have a database with a table and like 10 rows (id, user, bio, age, sex, hobbies ..) and i would like to create a search on this for my site.
search queries should look like domain.com/search.php?sex=male, domain.com/search.php?age=19 and domain.com/search.php?hobbies=swimming
it should then spit out all the users with like hobbie "swimming" or age "19".
does anyone know if there is a pre-coded script for stuff like that?
i already tried Google but most of the scripts/tutorials didn't fit my needs.
Posted: Sat Sep 10, 2005 7:29 am
by feyd

it isn't all that hard to write your own for this.. we can discuss how, but you get to do the work.

Posted: Sat Sep 10, 2005 8:30 am
by raghavan20
its not really worth searching for this normal search on google
this should be your answer.
now here you assume in search.php?field_name=field_value
field_name url variable can be age, sex....
field_value will be the value of the field_name
Code: Select all
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;
Posted: Sat Sep 10, 2005 8:32 am
by feyd
warning: that is a massive security hole.

$ corrected
Posted: Sat Sep 10, 2005 8:48 am
by raghavan20
hope this would counter sql injection.
it was a bit complex as we dont know the field_name and the format/type of field_value
Code: Select all
<?php
//you should be knowing all the fields on which you are going to make a search; write them below
$fields = array('field1', 'field2', 'field3', 'field4');
$sqlKeywords = array('insert', 'select', 'alter', 'drop', 'delete');
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
//if the search field is an item of the array defined above
$valid = 1; //initially the value is assumed to clean
if (in_array($field_name, $fields)){
//search for sql keywords in the field_value
for ($i = 0; $i < count($sqlKeywords); $i++){
if (strstr($field_value, $sqlKeywords[$i])){
$valid = 0; //set the value as unclean containing possible sql injection keywords
}
}
if (valid == 0){
echo "Suspected sql injection!!!";
}else{
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;
}
}else{
echo "Suspected sql injection!!!";
}
?>
Posted: Sat Sep 10, 2005 8:54 am
by feyd
missing a $ in front of a field_value
and it could still allow SQL injection, just of more benign things (in this particular case)
Posted: Sat Sep 10, 2005 9:00 am
by raghavan20
can you give an example query which can break the above code???
Posted: Sat Sep 10, 2005 9:04 am
by feyd
since you're not "fixing" magic quotes, any query with apostrophes in it could jump out of the value component. If that's possible, I could potentially inject a union that'd grab the whole user's table, likely getting their passwords and other "confidential" information.
Your filtering also could easily create false positives because a string of 'insert' is perfectly valid.

Posted: Sat Sep 10, 2005 9:14 am
by raghavan20
pls give me an example, i could not think of a query from your post.
i want to understand this better so that i can make more secure scripts.
Posted: Sat Sep 10, 2005 9:27 am
by feyd
- turn off magic quotes.
- query the page with something like foo.php?age=6'+UNION+SELECT+*+FROM+`someOtherTable`+WHERE+'1