Menu
Community /Pin to ProfileBookmark
How To Sanitize & Validate User Input On Your Search Box ?
Folks,
Building a searchengine like google. ofcourse.
Now, I need to VALIDATE user inputs on my search box on my website.
REQUIREMENTS:
1. Need to make sure the search box is not empty before clicking the “Search” button.2. Need to make sure no user will be able to hack into my Mysql database.3. Need to make sure no user will be able to hijack my other visitors to any malicious site.4. Need to make sure no user will be able to inject sql commands.5. Need to make sure no user will be able to inject html to breakup the page.6. Need to make sure all chars (alpha, numbers, symbols) found on a keyboard (like a QWERTY one) are typable in the search box and searchable in the Mysql Database.
**(NOTE: Above, I have given you 6 requirements. Should I have more ? If so, what should they be ?).
Php
““
$blacklisted_words = array(‘prick’,’dick’);
//Check if “search term” exists or not in Url’s Query String.
if(empty(trim($_REQUEST[‘find’])) || !is_string(trim($_REQUEST[‘find’]))) //Using $_REQUEST[] for both $_REQUEST[‘POST’] & $_REQUEST[‘REQUEST’].
{
die(‘Enter Keywords to search!’);
}
else
{
if(in_array(trim($_REQUEST[‘find’]),$blacklisted_words)) //Keyword(s) to search.
{
die(‘Your search terms contains a banned word! Try some other keywords’);
}
I am not sure if I should remove this part or not since I do want to allow users searching for symbols such:
@#^&*()_-=+[]{};:'”|
““
!is_string(trim($_REQUEST[‘find’]))
Must allow users to search for symbols because they could be searching for tutorial websites based on these symbols.
In short, if you were building your own searchengine, then how would you code it to SANITIZE and/or VALIDATE user inputs on your search box that queries your Searchengine Index (MySql Database) bearing in mind the security subject so your databse, webpage, etc. cannot be hacked, hijacked, sql injected, html injected, cross site attacked, javascript injected, etc. ? I don’t have much experience with Cross Site Attacks and so I am mostly worried about that. Must make sure that doesn’t happen to my website. need to take measures in my coding. Protect my website & database.
I’d appreciate code samples from every contributor as that will teach me a variety of flavours of coding. And trigger constructive debates on the subject on this thread. We always can learn a thing or two from the other no matter the level of programming expertise or experience.
I would be using Prepared Statements to protect from Sql Injection.
You can see a sample of how my full code will look like by glancing over here:
Hence, not wasting your time making you go through the same code (pagination page code) all over again here aswell. Here, we just need to concentrate on how to VALIDATE the user’s input on my searchengine’s search box. Ok ? So, let’s concentrate how to deal with the inputs on **$_POST[find’];
Search Box Html
““
<html>
<head>
<title>
Searchengine Result Page
</title>
</head>
<body>
<form method = ‘GET’ action = “”>
<label for=’find’>Find</label>
<input type=’text’ name=’find’ id=’find’>
<br>
Table:
<input type=’radio’ name=’table’ id=’sale’ value=’sale’><label for=’sale’>Websites On Sale</label>
<input type=’radio’ name=’table’ id=’sold’ value=’sold’><label for=’sold’>Websites Sold</label>
<input type=’radio’ name=’table’ id=’links’ value=’links’><label for=’links’>Links</label>
<br>
<label for=”column”>Column:</label>
<select name=”column” id=”column”>
<option value=””></option>
<option value=”domain”>Domain</option>
<option value=”email”>Email</option>
<option value=”submission_id”>Submission Id</option>
<option value=”url”>Url</option>
<option value=”anchor”>Anchor</option>
<option value=”description”>Description</option>
<option value=”keyword”>Keyword</option>
</select>
<br>
<button type=’submit’>Search!</button>
</form>
</body>
</html>
Sign in
to post a comment