i have my search on my site. im putting users search keywords to mysql query. i want to ask my controls before sending it to database. whis characters are unsecure for this. maybe ";" is one of them.

PHP's mysql interface is not capable of executing more than one SQL statement at a time, so this:

mysql_query("select * from bla; drop table bla");

will not drop table 'bla'.

maybe

keyword will be " ); unlink ("search.php"); ?

does it delete my search.php ?

or does any character give an error in mysql query ?

It will just give an error in mysql_query(). Nothing more.

I don't understand what you mean.

I am also not sure what you mean, but could

<?php
$search_keyword = addslashes($search_keyword);

$stmt="Select names from table where search_keyword=$search_keyword";

bla bla....

mysql_query($stmt,$link);

bla bla...

?>
be the solution?

Hi Guys ..

There is NO SOLUTIONS for this !!!

Jerome wrote:

I am also not sure what you mean, but could

<?php
$search_keyword = addslashes($search_keyword);

$stmt="Select names from table where search_keyword=$search_keyword";

bla bla....

mysql_query($stmt,$link);

bla bla...

?>
be the solution?

sorry for my poor english :-)

my question is so simple ...

is it secure to put everything (writed by users) to query without any control ?

some people saying that i must $searchkeyword=htmlspesialchars(addslashes($search_keyword)) before putting them to query?

something else ?

That's only because there is no problem.

sorry for my poor english :-)

my question is so simple ... i'll try ask it again :-)

is it secure to put everything (writed by users) to query without any control ?

some people saying that i must $searchkeyword=htmlspesialchars(addslashes($search_keyword)) before putting them to query?

something else ?