473,406 Members | 2,816 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > mysql database > questions > protecting from sql injections

Join Bytes to post your question to a community of 473,406 software developers and data experts.

protecting from sql injections

I am using the code below for search function but it is not protected from injections and I am not programming expert so can anyone help me on this my code is


Expand|Select|Wrap|Line Numbers
  1. <?php include ( "./inc/header.inc.php" );  ?>
  2. <?php
  3. if(!isset($_POST['search'])) {
  4.     header("Location: main.php");
  5. }
  6. $search_sql="SELECT * FROM blogs WHERE title LIKE '%".$_POST['search']."%' OR body LIKE '%".$_POST['search']."%' ";
  7. $search_query=mysql_query($search_sql);
  8. if(mysql_num_rows($search_query) !=0){
  9. $search_rs=mysql_fetch_assoc($search_query);
  10. }
  11. ?>
  12.  
  13.  
  14. <p>Search results</p>
  15. <?php
  16. if(mysql_num_rows($search_query) !=0){
  17.   do { ?>
  18.    <div class="searchresults">
  19.        <p><?php echo $search_rs['title']; ?></p>
  20.        <p><?php echo $search_rs['body']; ?></p></div>
  21.  <?php }
  22.   while ($search_rs=mysql_fetch_assoc($search_query));
  23. }
  24.   else {
  25.        echo "No results found";
  26.   }
  27.  
  28. ?>
just want to add code that can protect from injections.
Sep 16 '15 #1

✓ answered by RonB

Start by not using any of the mysql_ functions. They are depreciated and are prone to sql injection. Instead, you should be using the mysqli_ functions. You also should not be using user supplied data directly. Instead, copy it to a new var and escape it prior to using it in sql statements.

Better still would be to use PDO's prepared statements with placeholders/bind parameters.

Here's some useful php documentation.
SQL Injection
mysqli_ - (MySQL Improved Extension)
PDO (PHP Data Objects)

1 1767
RonB
589 Expert Mod 512MB
Start by not using any of the mysql_ functions. They are depreciated and are prone to sql injection. Instead, you should be using the mysqli_ functions. You also should not be using user supplied data directly. Instead, copy it to a new var and escape it prior to using it in sql statements.

Better still would be to use PDO's prepared statements with placeholders/bind parameters.

Here's some useful php documentation.
SQL Injection
mysqli_ - (MySQL Improved Extension)
PDO (PHP Data Objects)
Sep 16 '15 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

24
protecting my script from being shared
by: Yang Li Ke | last post by:
Hi guys! Anyone know a way so that users purchasing my scripts would not be able to share them with other people ? Yang
PHP
10
PHP and secure MySQL injections
by: Matthew Sims | last post by:
I've been performing search after search all over the internet reading up on all topics about making PHP secure with MySQL. There's a lot out there and not many concrete examples on how you should...
PHP
2
PHP and Protecting Email
by: Jim | last post by:
I have contact info including email address in MySQL. If I use php to extract them into online directory, can a spambot harvest the address? or does the spambot read the raw php code? I...
PHP
6
protecting the python code.
by: nell | last post by:
Hi all, I've developed a testing application in python, and should supply it in a way that no one (lets say they are regular users) will understand it and edit it. The application source is all...
Python
12
protecting images with asp
by: Roland Hall | last post by:
I read Aaron's article: http://www.aspfaq.com/show.asp?id=2276 re: protecting images from linked to by other sites. There is a link at the bottom of that page that references an interesting...
ASP / Active Server Pages
12
protecting an access file
by: Dr. Edmund M. Hayes | last post by:
I wrote a access program that works well enough that a handful of people would like to buy it from me. My problem is that if I sell it to someone there is no mechanism that I know of to protect...
Microsoft Access / VBA
22
Technical Answer - Protecting code in python
by: flit | last post by:
Hello All, I have a hard question, every time I look for this answer its get out from the technical domain and goes on in the moral/social domain. First, I live in third world with bad gov., bad...
Python
0
protecting a class declarativly (going mad)
by: xamman | last post by:
hi there! according to msdn (link at bottom) i should be able to protect a whole class declaratively as above. However i keep getting 'request for principal permissions failed' exceptions. in...
Visual Basic .NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!