Hello.
To search for stuff, people enter a string which is then used in an SQL query. However, if the user enters the ' character, they break out from the LIKE SQL statement, and if they use the " character, they break away from the PHP string.
What is the usual way to go with this? Someone said that I should replace " with \" or somesuch. I didn't work.
Thanks all.
A string which is both PHP and SQL safe
Moderator: General Moderators
Well if it helps, which I doubt.
It also opens a way for anyone to somehow execute SQL commands to the database, by closing the LIKE statement and continuing with the query. Maybe so.
Code: Select all
$terms = $_GET['terms'];
$result = mysql_query("SELECT something FROM library WHERE information LIKE '%$terms%'") or Die(mysql_error());
Last edited by Clippit on Mon Feb 27, 2006 4:50 pm, edited 1 time in total.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Not maybe so, definitely so.Clippit wrote:It also opens a way for anyone to somehow execute SQL commands to the database, by closing the LIKE statement and continuing with the query. Maybe so.
use mysql_real_escape_string() (at a minimum) to help safe guard the SQL. use htmlentities() or htmlspecialchars() to safe guard the output in PHP.
Re: A string which is both PHP and SQL safe
The most secure is to whitelist it. Allow only certain characters.Clippit wrote:What is the usual way to go with this?
For example, [A-z,a-z,0-9]. That covers the majority of keywords, realistically.
It does make it harder to search for Mac'Enry, and similar. It depends on implementation which values you will allow.
Yes that would also work.
But I already got the mysql_real_escape_string to work, by using:
Of course after the connection has been made.
Thank you both.
But I already got the mysql_real_escape_string to work, by using:
Code: Select all
$terms = mysql_real_escape_string($terms);Thank you both.