search query validation

bampot

i'm looking to check a users search query sent by $_GET is 3 characters in length or longer, also are there any other validations that i should be making?

thanks in advance

bampot

got it

if(strlen($search) < 3)
  {
   echo '<p>Please refine your search</p>';
   exit;
  }

however i would still like to hear if i should be making any other user input validations as standard

weekender

surely this is a question only you can answer? do you want the search string to be a date? a number? just text? does it have a maximum length?

bampot

i'm just thinking along the lines of malicious code being entered

weekender

right. well what is the format of the search string, and how is it going to be used?

anything that can be manipulated by the user should be secured. this includes not passing data straight into functions like eval, or an sql query

bampot

search term from a text input recieved by $_GET is used in an sql query

$sql = mysql_query("SELECT * FROM products where description like '%$search%' LIMIT $from, $max_results");

should i be using strip_tags() or htmlspecialcharacters() or both.

i also have delivery information that will be entered into a database