Hello everyone!
I am developing a script that uses dynamically generated queries based on user input however those fields can be modified using a tool such as firebug and would like to know if someone can tell me if I am doing things the right way or if there is a way to sanitize the queries in a better way, basically for all fields in the form the values are limited so I make sure that the passed value is in an array of accepted values otherwise the query is stopped but there is a field where the user can enter text to search for and that cannot be limited to certain values the way I did with the rest of the fields so I am using mysql_real_escape_string only basically for the text field I do the following
if ( $delimiters['filterword'] != null ){
$delimiters['filterword'] = mysql_real_escape_string ( $delimiters['filterword'] );
$query .= $where . 'title LIKE "%' . $delimiters['filterword'] . '%"';
$query2 .= $where . 'title LIKE "%' . $delimiters['filterword'] . '%"';
}
And for the rest of the fileds where the values are limited to an expected value I do this
if ( ( int ) $delimiters['lang'] != 0 ){
if ( in_array ( $delimiters['lang'], $expectedValues, true ) === false )
die ( $err );
$query .= $where . $and . ' language = "' . $delimiters['lang'] . '"';
$query2 .= $where . $and . ' language = "' . $delimiters['lang'] . '"';
}
Is this a good way of doing it or should I be sanitizing the data some other way?