Search Function with multiple variables in SQL

[Shorts]

As for using variables that aren't ints.

Using what I posted, instead of intval() you can use mysql_real_escape_string(). Personally, use intval() when the input should be a number, otherwise mysql_real_escape_string() it. Also, when I know it should be a number don't use quotes either, etc (with both):

PHP Code:

$sql="SELECT * FROM $tbl_name WHERE technology='".mysql_real_escape_string($_GET['technology'])."' AND `range`=".intval($_GET['range'])." AND output='".mysql_real_escape_string($_GET['output'])."' AND configuration=".floatval($_GET['configuration']); 


In that string, creating the SQL knowing that technology can be a string\number, range is a int, output is a string\number, and configuration is a float.

[Mindzai]

You might need to be a bit careful with just injecting intval though depending on the data in question since it will return 0 on failure. Injecting a 0 may or may not give undesirable results. Personally I like to do some more robust validation rather than relying on intval alone. Depends on what you are doing of course.

[Shorts]

Indeed, personally use a function inside my Database object,

PHP Code:

$variable = $Database->anti_hack($variable,$is_html_allowed); 


However, like using intval as a quick and easy test. as for inserts\updates those are more controlled but for pumping out data with a select, intval does more then enough. Inserts\Updates usually have a lot more validation going on before hand though and then is only executed when everything is a-okay.

monkey, for personal references and examples, here's two pages on SQL Injection:
http://www.tizag.com/mysqlTutorial/m...-injection.php
http://us3.php.net/manual/en/securit...-injection.php

Another note, SQL Injection can happen on ANY user input, even things like ORDER BY, LIMIT, etc. So anything that has user input must be cleaned\validated (as for ORDER BY usually I'll setup up an array of approved sorts and if it's not in that list to use a default value, or use a switch to create an ORDER BY using a different name then the column). Alright, starting to rant a bit, bottom line, Good luck monkey.

[themonkey40]

Ok I am just having a bad coding day, I am trying to create an insert page that will insert new products into the database. Here is the code:

PHP Code:

<?php 
include "db.php";
include "error.php";

$tbl_name = "product";

$connect = mysql_connect($hostname,$username,$password,$tbl_name);
    if (!$connect)
      {
      die('Could not connect:' . mysql_error());
      }
  
mysql_select_db($database, $connect);

$sql="INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('$_POST[product]','$_POST[technology]','$_POST[`range`]','$_POST[output]','$_POST[configuration]')";
    if (!mysql_query($sql,$connect))
      {
      die('Error: ' . mysql_error());
      }
    echo "1 record added";
    mysql_close($connect);
?>

When this page just displays blank, no errors. Any thoughts?

[Shorts]

$_POST[`range`] to $_POST['range'] and add single quotes to all the $_POST's also those are perfect areas to worry about SQL Injection.

Lastly, after adding the single quote's to the posts, break them out of the string

PHP Code:

$sql = "INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('".$_POST['product']."','".$_POST['technology']."','".$_POST['range']','".$_POST['output']."','".$_POST['configuration']."')"; 


Or as:

PHP Code:

$sql = "INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('{$_POST['product']}','{$_POST['technology']}','{$_POST['range']}','{$_POST['output']}','{$_POST['configuration']}')"; 


Personally prefer the first method as it's easier to see and work with in color coded text editors. right with the first back ticks on the range, however the second one is a PHP variable so single quotes.

Once you get that working, try adding some anti hacking (SQL Injection) functionality.