Sunday, 15 February 2015

security for a simple php search form -


I have a table that lists movies and I have included a simple search function. I have a text field Is where a title or keyword can be entered and then the form is submitted.

The php / mysql code that works:

  find $ = $ _POST ['find']; $ Find = mysql_real_escape_string (find $); $ Find = htmlspecialchars ($ find); $ Sql ​​= "SELECT * fROM tbl_buyerguide WHERE" now, between title and relation_date () and DATE_ADD (now () (INTERVAL 2 months) and '%' are available in the title. $. "% 'Order by Title";   

Where 'search' is the name of the text input in the form of text.

It works well enough for search functionality for the required purpose.

Is mysql_real_escape_string and htmlspecialchars sufficient to secure my search form?

I have read all those questions That's what I can get on Stakeoverflow about this, but I really need to know that just "yes, this is your need", or "no, you should also take care ...".

Thanks in advance. Cheers Al.

Yes, it is enough to make it safe. .. You can always put strip_tags () as well there ....

However I will only be in a row ... the use of three Think instead of

  $ find = htmlspecialchars (mysql_real_escape_string ($ _POST [ 'a']));   

But to really keep it safe and up-to-date, you should stop using mysql_ * functions as they dislike it, and delete it in a future PHP release.

You should either switch to mysqli_ * or PDO, and apply a prepared statement that handles security for you.

Examples ... in PDO

  $ dB = new PDO ('mysql: server = localhost; dbname = test', 'username', 'password') ; Find $ = $ _POST ['Find']; $ Query = $ db- & gt; Prepare (Select from * to tbl_buyerguide WHERE now between rel_date () and DATE_ADD (now (), interval 2 months) and title: 'Order by title';); $ Query-> Bind value (': like', '%'. $ Mill. '%'); $ Query-> Executed ();    

No comments:

Post a Comment