[RESOLVED] Search fields that contain questionmarks etc

beandip

I hope this is a really simple answer... i've searched and searched but obviously I'm not searching for the correct "terms".

I have a basic search page... it allows users to search a database of books by title, author etc. However recently some did a search for the following book title:

"Are you there god? It's me Margaret"

It broke the search engine. Upon investigation, the question mark character is messing up the search. In other words, the search strings from the form are being retrieved on the search results screen using $GET.

I would like to know how to "protect" the info the user puts in the search field and keep it intact to search the database with. I would assume this is also a security issue or how injection attacks are done.

Thanks!

laserlight

Use [man]urlencode/man when printing to the query string.

I would assume this is also a security issue or how injection attacks are done.

If it was an SQL injection, the query would fail on "s me Margaret", not " It's me Margaret". The reason is that the single quote is at that point, but here you determined it to be the question mark.

Actually, in retrospect I suspect that you may have misinterpreted the problem. Test with:
"Are you there god? Its me Margaret"

Do you still have the problem?

beandip

yes if i search for

Are you there god? Its me Margaret

I get no results found. If I wrapped it in urlencode then it seems to work fine. Thank you!