Results 1 to 2 of 2

Thread: Prevent MySQL Injection on search and dropdowns

  1. #1
    Join Date
    Jun 2008

    Prevent MySQL Injection on search and dropdowns

    Hey all, I know this might have been asked before but I am trying to protect my search field and drop downs from MySQL injection and am having trouble integrating mysql_real_escape_string into my PHP. I am currently filtering my search results by keywords in 2 drop downs or by a freeform input where the user types in a reference. I've commented below where I am trying to add the escape string but it is breaking my search function. Can anyone advise me on what to do? Thanks for any help

    PHP Code:
    if (isset(
    $searchword $_POST['searchByRef'];
    $searchword mysql_real_escape_string($connectInfo$searchword);
    $query_dbname "SELECT * FROM dbname WHERE `ref` LIKE '%".$searchword."%'";


    if (isset($_REQUEST['submit']))
    $drop1 $_POST['search1'];
    $drop2 $_POST['search2'];
    $drop1 mysql_real_escape_string($connectInfo$drop1);
    $drop2 mysql_real_escape_string($connectInfo$drop2);
    $query_dbname 'SELECT * FROM dbname WHERE 1=1' . ($drop1 ' AND `colour` LIKE "%' $drop1 '%"' '') . ($drop2 ' AND `style` LIKE "%' $drop2 '%"' ' ORDER BY id DESC');   

    $query_dbname "SELECT * FROM dbname ORDER BY ref DESC";
    $dbname mysql_query($query_dbname$connectInfo) or die(mysql_error());
    $row_dbname mysql_fetch_assoc($dbname);
    $totalRows_all mysql_num_rows($dbname);

  2. #2
    Join Date
    Aug 2004
    Looks like you have the arguments reversed when you call mysql_real_escape_string. The first arg is the string to be escaped, and the 2nd is the (optional) connection identifier.

    Of course, you could quit using the now-deprecated MySQL extension and instead either use the MySQLi extension or PDO extension, allowing you to make use of prepared statements with bound parameters, letting them take care of any needed escaping automatically.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center