Search issue

[brianmn]

I have a search script on my site and I am having issues with it.

If for example i insert the following in the field: <?php echo 'test'; ?>

Instead of performing the normal search I get an error: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use..."

How do I fix this, my database contains code examples and such so people could very easily be searching for some php statement or something. Also I don't think it is very secure since it is obviously executing it.

I tried adding the following code but it didn't help.
$search = @strip_tags(htmlspecialchars(stripslashes($_GET['search'])));

 

[Shorty]

Hey, I think all you need to do is run a quick replacement before executing the search. Here's my solution:

$replacethis[0] = '/</';
$withthis[0] = '/&lt\;/';

$replacethis[1] = '/>/';
$withthis[1] = '/&gt\;/';

$search = preg_replace($replacethis, $withthis, $_GET['search']);

You may encounter some trouble with the replacements because of the ; character being part of the replacing string. If so, play around with the / and \'s until it's happy with it.

 

[brianmn]

Well that didn't seem to fix the issue....

 

[brianmn]

Well I fixed my problem.

Simply by doing the following to my search string that was placed back into the search box:

htmlentities($_GET['search'], ENT_QUOTES)

And then this to the search string as it was passed in the mysql query:

mysql_real_escape_string($search)

So thanks for the help.

 

[-PS-]

Hey, I think all you need to do is run a quick replacement before executing the search. Here's my solution:

$replacethis[0] = '/</';
$withthis[0] = '/&lt\;/';

$replacethis[1] = '/>/';
$withthis[1] = '/&gt\;/';

$search = preg_replace($replacethis, $withthis, $_GET['search']);

You may encounter some trouble with the replacements because of the ; character being part of the replacing string. If so, play around with the / and \'s until it's happy with it.

ok i have a similar way to do it that hasn't failed me yet

$replacethis = array("<",">"); # etc etc etc
$withthis = array("<","&gt");
$search = str_replace("$replacethis,$withthis,$_GET['search');

(i've just used what varibles shorty used to keep it "consistiant")

That code thou, is for your OUTPUT, not what you are searching the database with, if you search the database with that, you won't get any hits, you i'll need to do something like $real_search_var = addslashes($_GET['search']); for the database search, otherwise you'll have a few sec holes ..