I have a script that I got and I been trying so many php commands and structures to prevent this but the way this is structured I’m having trouble putting these commands successfully like mysqli_real_escape_string and html htmlspecialchars etc.. to my query I need protection here’s my script. Here's the link https://docs.google.com/document/d/1LgY77N4T34wpuF8VuuNTAIfijEwruR-HabJYBew1kOQ/edit
How do I prevent form hacks on my php, mysqli form in this situation?
When your code is somewhat short, it is better to post it here than to post it elsewhere then link to it from here. If you do want to post it elsewhere, then it is better to use a pastebin service (the name originates from the first popular one... basically a code hosting service with syntax highlighting and such but for a one-off piece of code rather than a project). When you do post PHP code here, remember to post within [noparse]
[/noparse] tags, or more generally within [noparse]
[/noparse] tags.
<?php
$conn = mysqli_connect("localhost","1234un","1234pw","1234db");
$output = ' ';
if(isset($_GET['q']) && $_GET['q'] !== ' ') {
$searchq = $_GET['q'];
$q = mysqli_query($conn, "SELECT * FROM search WHERE keywords LIKE '%$searchq%' OR title LIKE '%$searchq%'") or die(mysqli_error());
$c = mysqli_num_rows($q);
if($c == 0) {
$output = 'No search results for <b>"' . $searchq . '"</b>';
} else {
while($row = mysqli_fetch_array($q)) {
$id = $row['id'];
$title = $row['title'];
$desc = $row['description'];
$link = $row['link'];
$output .= '<a href="' . $link . '">
<h3>' . $title . '</h3>
<p>' . $desc . '</p>
</a>';
}
}
} else {
header("location: ./");
}
print("$output");
mysqli_close($conn);
?>
<DOCTYPE html>
<html>
<head>
</head>
<body>
<form action="search.php" method="GET">
<input type="text" name="q" dir="ltr">
<input type="submit" value="go">
</form>
</body>
</html>o8codex wrote:the way this is structured I’m having trouble putting these commands successfully like mysqli_real_escape_string and html htmlspecialchars etc.. to my query
It would be better to make use of placeholders with prepared statements. I might try:
$searchq = $_GET['q'];
$searchq_placeholder = '%s' . $searchq . '%s';
$stmt = mysqli_prepare(
$conn,
"SELECT id, title, description, link FROM search
WHERE keywords LIKE ? OR title LIKE ?"
) or die(mysqli_error());
mysqli_stmt_bind_param($stmt, 'ss', $searchq_placeholder, $searchq_placeholder);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id, $title, $desc, $link);
$c = 0;
while (mysqli_stmt_fetch($stmt)) {
$output .= sprintf('<a href="%s"><h3>%s</h3><p>%s</p></a>',
htmlspecialchars($link),
htmlspecialchars($title),
htmlspecialchars($desc));
++$c;
}
if ($c == 0) {
$output = 'No search results for <b>"' . htmlspecialchars($searchq) . '"</b>';
}You would need more graceful error handling than the "or die", both because it is unsightly to users and to avoid gleefully spitting out potentially sensitive debugging information to a possible attacker. Also, it is puzzling why you print $output so early. You probably should print it later down in the page. Oh, and remember that if you send a location header, you should place exit; right after the header call.
6 days later
I'm sorry I'm still new to this site I try to put the code on here but I get confused I will do my best next time and thank you with your advice combine with me playing around with the code, I am
now getting it to work now. Thank you so much.