• From: Eskilstuna, Sweden
  • Registered: 2004-05-23
  • Posts: 143

Topic: search string process so it's safe to use with database (php/mysql)

If i've got something like this:

// a search string from URL
$search_string $_GET['search'];

//
// Some processing of the string here...
//

// a possible query with full text search
$query = "SELECT * FROM table WHERE MATCH (content) AGAINST ('$search_string')";

// another possible query
// $query = "INSERT INTO table (asdf) VALUES ('$search_string')";

mysql_query($query);

How is the best way to proccess that string so it's not posible to do something harmful in the database. Like SQL-injections, or similar...

chrizz's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: search string process so it's safe to use with database (php/mysql)

mysql_escape_string($search_string)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Eskilstuna, Sweden
  • Registered: 2004-05-23
  • Posts: 143

Re: search string process so it's safe to use with database (php/mysql)

thats it?

i've used other function before but this one sounds more simple smile

thanks anyway.

chrizz's Website

  • From: Eskilstuna, Sweden
  • Registered: 2004-05-23
  • Posts: 143

Re: search string process so it's safe to use with database (php/mysql)

Another question in the same area.

After inserting a row in mysql (and after had run mysql_escape_string..)

To fetch that string and display it safely (like in a text-form i.e.)

is this the "right" way to do it.


$row = mysql_fetch_assoc(....

$row[search_string] = htmlspecialchars(stripslashes($row[search_string)); ?

I dont want anything to be messed up if user typed any kind of quotation mark.

chrizz's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: search string process so it's safe to use with database (php/mysql)

Correct apart from the stripslashes(). There's no need to do that. Just make sure you run set_magic_quotes_runtime(0); somewhere in the beginning of your script.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

6 Reply by chrizz (edited by chrizz 2005-01-21 00:25)

  • From: Eskilstuna, Sweden
  • Registered: 2004-05-23
  • Posts: 143

Re: search string process so it's safe to use with database (php/mysql)

Thats wierd. I use mysql_escape_string($string);

insert it in the database (say it looks something like \"\" in the database)

then I get it in php, and it still is \"\", only if I use stripslashes it becomes "" like I want it.

I have set_magic_quotes_runtime(0);

I've read a little  about it (apparently not enough :) and from what I understanit should be unescaped automaticly? what am I missing here?

chrizz's Website

7 Reply by chrizz (edited by chrizz 2005-01-21 01:09)

  • From: Eskilstuna, Sweden
  • Registered: 2004-05-23
  • Posts: 143

Re: search string process so it's safe to use with database (php/mysql)

Nevermind, I think I understand how it works now. Did not even need the mysql_escape_string(), it was escaped anyway on insert.

Thanks for you help...

chrizz's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: search string process so it's safe to use with database (php/mysql)

That means you have magic_quotes_gpc enabled. A horrible idea the PHP developers came up with a few years ago. What it means is that PHP runs addslashes() for you so that when you fetch stuff from GET/POST/COOKIE, it's already escaped.  Have a look at PunBB's common.php. There's some code there to undo the damage done by magic_quotes_gpc.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website