pixelboy — 2012-04-26T07:31:23-04:00 — #1
Hi everyone, I am creating a small search function in BOOLEAN MODE and it works fine.
But I asked myself how to make the query string hack prove since it is on a public website.
I read somewhere that for the querystring the only thing needed is to set mysql_set_charset() and mysql_real_escape_string enclosed in quotes.
Is that a myth? What about special keywords does it need filtering?
pixelboy — 2012-04-26T10:03:16-04:00 — #2
I meant to say hack proof... Always a tricky thing English
tom8 — 2012-04-26T11:00:28-04:00 — #3
I too would like to know. Hope members here will comment.
starlion — 2012-04-26T11:24:21-04:00 — #4
'hack proof'. Whenever i hear that phrase, I want to laugh. It's not a question of being hack-proof, but making it as difficult as possible.
real_escape_string is a good first step. Filtering and sanitizing your data is better. What data do you need to take in?
pixelboy — 2012-04-26T13:11:26-04:00 — #5
I am glad I made someone laugh today
The data I need to take in is numerical, alphabetical and some latin characters (utf-8)
and make it so that the user still can double quote for example "John Doe".
pixelboy — 2012-04-27T06:22:48-04:00 — #6
Ok here an example of a search
GET data input example 1 = "Stephen O'Reiley"
GET data input example 2 = Marie-Élise
GET data input example 3 = 0123456789
$query = mysql_real_escape_string($_GET['input']);
$search= @mysql_query("SELECT * FROM articles WHERE MATCH (articlecode, name, description) AGAINST ('$query' IN BOOLEAN MODE) LIMIT 1, 5");
Is this ok for safety or should I add more filters?
pixelboy — 2012-05-08T09:54:58-04:00 — #7
Still struggling with the same question here... How about some keyword filtering? Such as 'AND OR *' Is that necessary and or a good solution?