Is this secure

Walle

Is this safe?

$q = $_GET["q"];
echo"
<form method='post' action='?page=search'>
<input type='text' name='q' value='$q' onkeyup='if(this.value.length>=3){ok(this.value);}'>
<input type='submit'value='search'> 
</form>
";

$q = mysql_real_escape_string($_POST['q']);

$result = mysql_query("SELECT * FROM t1 WHERE LENGTH('{$q}') > 2 AND sn LIKE '%{$q}%' LIMIT 5");

$hits = mysql_num_rows($result);


if(mysql_num_rows($result) ==0)
{
echo "no result";
}
else
{
while($row = mysql_fetch_array($result))
{
echo $row[sn].'<br>';
}
}
?>

laserlight

You should use [man]htmlspecialchars/man or [man]htmlentities/man on an incoming variable used as the value of a HTML tag's attribute.

bradgrafelman

You could also lighten the load on the SQL server and just do the string length checking in PHP.

Walle

I thought mysql_real_escape_string was enough but it is not? I am not inserting anything to db just echo some result from it depends on what is typed into text field but I should use htmlspecialchars () anyway? If so, is this correct with htmlspecialchars?

$q = mysql_real_escape_string($_POST['q']);
$new = htmlspecialchars("$q", ENT_QUOTES);

bradgrafelman

You should use that function if you're displaying user-supplied data. The reason for that is you don't want them to store malicious code in your DB (e.g. some <script> code) and have it executed when you view the page.

If, on the other hand, you'd like to allow some HTML to be parsed (e.g. <b> tags or something of that nature), you could use [man]strip_tags/man and specify which tags you'd like to allow.

Walle

OK, thanks.

I think I need read more about this htmlspecialchars() and htmlentities(). Lots of tanks for helping.