Search with illegal characters

sarah

I have a form which someone can use to search a mysql database. But if an illegal character like ' or " is entered, it wigs out. addslashes wont work because the information in the database doesn't have a backslash before the characters. I'm sure there is a simple solution that doesn't involve exploding the search word. Any ideas?

Anon

Addslashes should work just fine since \" and \' get interpreted as just " and ' by the database. Besides that you should be checking any string entered by the user for it's validity, and for protection. If using ' or " will break your search a user could use it to do malicious things, like deleting every record from your database.

Just imagine a user entering a search string like this:

";DELETE * FROM table1

The " ends your actual search string, and the ; ends the SQL select command, and then the DELETE command gets run, this could be very bad. This type of "hack" is what most malicious script-kiddies do when they find a system that doesn't check what it's users are inputing.

sarah

You rock. Problem fixed. Thanks so much for the tip about the security hole. I really appreciate it, and I'm sure others will too.

Anon

Glad I could help.