[FONT=Arial][SIZE=3]Hi everyone, I am creating a small search function in BOOLEAN MODE and it works fine.
But I asked myself how to make the query string hack prove since it is on a public website.
I read somewhere that for the querystring the only thing needed is to set mysql_set_charset() and mysql_real_escape_string enclosed in quotes.
Is that a myth? What about special keywords does it need filtering?[/SIZE][/FONT]
The data I need to take in is numerical, alphabetical and some latin characters (utf-8)
and make it so that the user still can double quote for example “John Doe”.
GET data input example 1 = “Stephen O’Reiley”
GET data input example 2 = Marie-Élise
GET data input example 3 = 0123456789
Process search @mysql_set_charset(‘utf8’, $db_connection);
$query = mysql_real_escape_string($_GET[‘input’]);
$search= @mysql_query(“SELECT * FROM articles WHERE MATCH (articlecode, name, description) AGAINST (‘$query’ IN BOOLEAN MODE) LIMIT 1, 5”);
Is this ok for safety or should I add more filters?