Page 1 of 1

Search engine, how to? Pre-coded Script?

Posted: Sat Sep 10, 2005 4:40 am
by smudda
hello everyone,

i have a database with a table and like 10 rows (id, user, bio, age, sex, hobbies ..) and i would like to create a search on this for my site.

search queries should look like domain.com/search.php?sex=male, domain.com/search.php?age=19 and domain.com/search.php?hobbies=swimming

it should then spit out all the users with like hobbie "swimming" or age "19".

does anyone know if there is a pre-coded script for stuff like that?
i already tried Google but most of the scripts/tutorials didn't fit my needs.

Posted: Sat Sep 10, 2005 7:29 am
by feyd
8O it isn't all that hard to write your own for this.. we can discuss how, but you get to do the work. ;)

Posted: Sat Sep 10, 2005 8:30 am
by raghavan20
its not really worth searching for this normal search on google

this should be your answer.

now here you assume in search.php?field_name=field_value
field_name url variable can be age, sex....
field_value will be the value of the field_name

Code: Select all

list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
$query = "select * from `table_name` where `$field_name` = '$field_value'";
echo $query;

Posted: Sat Sep 10, 2005 8:32 am
by feyd
warning: that is a massive security hole. :)

$ corrected

Posted: Sat Sep 10, 2005 8:48 am
by raghavan20
hope this would counter sql injection.
it was a bit complex as we dont know the field_name and the format/type of field_value

Code: Select all

<?php
//you should be knowing all the fields on which you are going to make a search; write them below
$fields = array('field1', 'field2', 'field3', 'field4');
$sqlKeywords = array('insert', 'select', 'alter', 'drop', 'delete');
list($key, $value) = each($_GET);
$field_name = $key;
$field_value = $value;
print_r($_GET)."<br />";
echo $field_name."<br />";
//if the search field is an item of the array defined above
$valid = 1; //initially the value is assumed to clean
if (in_array($field_name, $fields)){
	//search for sql keywords in the field_value
	for ($i = 0; $i < count($sqlKeywords); $i++){
		if (strstr($field_value, $sqlKeywords[$i])){
			$valid = 0; //set the value as unclean containing possible sql injection keywords
		}
	}
	if (valid == 0){
		echo "Suspected sql injection!!!";
	}else{
		$query = "select * from `table_name` where `$field_name` = '$field_value'";
		echo $query;
	}
}else{
	echo "Suspected sql injection!!!";
}
?>

Posted: Sat Sep 10, 2005 8:54 am
by feyd
missing a $ in front of a field_value ;)

and it could still allow SQL injection, just of more benign things (in this particular case)

Posted: Sat Sep 10, 2005 9:00 am
by raghavan20
can you give an example query which can break the above code???

Posted: Sat Sep 10, 2005 9:04 am
by feyd
since you're not "fixing" magic quotes, any query with apostrophes in it could jump out of the value component. If that's possible, I could potentially inject a union that'd grab the whole user's table, likely getting their passwords and other "confidential" information.

Your filtering also could easily create false positives because a string of 'insert' is perfectly valid. ;)

Posted: Sat Sep 10, 2005 9:14 am
by raghavan20
pls give me an example, i could not think of a query from your post.
i want to understand this better so that i can make more secure scripts.

Posted: Sat Sep 10, 2005 9:27 am
by feyd
  1. turn off magic quotes.
  2. query the page with something like foo.php?age=6'+UNION+SELECT+*+FROM+`someOtherTable`+WHERE+'1