Hi guys, is the following enough to prevent sql injection? I’ve read other posts on the subject and it seems I’ve done enough. Thanks.
<?php
if ($searching =="yes")
{
echo "<br><br><b>Search Results:</b><br><br>";
if ($find == "")
{
echo "You forgot to enter a search term.<br><br>";
exit;
}
//$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);
$find = mysql_real_escape_string($find);
$result = mysql_query("SELECT * FROM customers WHERE industry='$industry' AND ( company LIKE'%{$find}%' OR email LIKE'%{$find}%' OR website LIKE'%{$find}%' ) ORDER BY company");
if(mysql_num_rows($result)==0) {
echo 'I am sorry your search for <span style="font-weight:bold;color:#336699;">'.$find.'</span> returned no results.<br><br>';
} else {
while ($row = mysql_fetch_array($result)) {
echo '<span class="listing">' . $row['company'] . '</span><br>';
echo 'Phone: ' . $row['phone'] . '<br>';
echo 'Address: ' . $row['street'] . '<br>';
echo 'Email: <a href="mailto:'.$row['email'].'">' . $row['email'] . '</a><br>';
echo 'Website: <a href="http://'.$row['website'].'" target="_blank">' . $row['website'] . '</a><br><br>';
echo $row['description'] . '<br><br><hr><br>';
}
}
}
?>