Hi everyone, I am creating a small search function in BOOLEAN MODE and it works fine.
But I asked myself how to make the query string hack prove since it is on a public website.
I read somewhere that for the querystring the only thing needed is to set mysql_set_charset() and mysql_real_escape_string enclosed in quotes.
Is that a myth? What about special keywords does it need filtering?
I meant to say hack proof... Always a tricky thing English
I too would like to know. Hope members here will comment.
'hack proof'. Whenever i hear that phrase, I want to laugh. It's not a question of being hack-proof, but making it as difficult as possible.
real_escape_string is a good first step. Filtering and sanitizing your data is better. What data do you need to take in?
I am glad I made someone laugh today
The data I need to take in is numerical, alphabetical and some latin characters (utf-8)
and make it so that the user still can double quote for example "John Doe".
Ok here an example of a search
GET data input example 1 = "Stephen O'Reiley"
GET data input example 2 = Marie-Élise
GET data input example 3 = 0123456789
$query = mysql_real_escape_string($_GET['input']);
$search= @mysql_query("SELECT * FROM articles WHERE MATCH (articlecode, name, description) AGAINST ('$query' IN BOOLEAN MODE) LIMIT 1, 5");
Is this ok for safety or should I add more filters?
Still struggling with the same question here... How about some keyword filtering? Such as 'AND OR *' Is that necessary and or a good solution?
This topic is now closed. New replies are no longer allowed.