is this code safe from injection attack
Posted: Sat Oct 24, 2009 1:41 am
i have been using this simple search form script for a long time. no problems.... yet. just want to ask if its secure enough from php/sql injections or any malicious input? any suggestion to make it safer/secure? thanks.
Code: Select all
<?
$country = $_POST["country"];
// if page is not submitted to itself echo the form
if (!isset($_POST['submit'])) {
?>
<form method="POST" action="<? echo $PHP_SELF; ?>">
<p><b>SEARCH</b> a City or Country <input type="text" name="country" size="32"><p>
<p><br>
<!--[if IE]><input type="text" style="display: none;" disabled="disabled" size="1" /><![endif]-->
<input type="submit" value="submit" name="submit"><input type="reset" value="Reset" name="B2"></p>
</form>
<?
} else {
?>
<? if($_POST['country'] == "")
{
header("location: myscript.php?error=1");
exit;
}
$db_host = '';
$db_user = '';
$db_pass = '';
$db_name = '';
$db_table = '';
$conn = mysql_connect($db_host,$db_user,$db_pass);
mysql_select_db($db_name,$conn);
$result = mysql_query ("SELECT * FROM houses
INNER JOIN houses2
ON houses2.JurisCode = houses.juris_code
WHERE country_en LIKE '%$country%'
AND endofhouse = ' '
OR city LIKE '%$country%'
ORDER BY JurisCode ASC, city ASC",$conn);
$totalrows = mysql_num_rows($result);
if ($row = mysql_fetch_array($result)) {
do {
// prints the output of the search