Link to home
Start Free TrialLog in
Avatar of genesisvh
genesisvh

asked on

Is this secure enough?

I just wrote a quick search form but I want to see if this is secure enough. Can anyone please take a look a quick look. Thanks
<?php
mysql_connect ("", "","")  or die (mysql_error());
mysql_select_db ("");

$search = mysql_real_escape_string($_POST['search']);

$sql = mysql_query("SELECT * FROM apartments WHERE contact LIKE '%$search%' OR phone LIKE '%$search%' OR office LIKE '%$search%' OR town LIKE '%$search%' OR cross_streets LIKE '%$search%' OR description LIKE '%$search%' OR email LIKE '%$search%' OR rent LIKE '%$search%' order by `date_created`");

echo "<strong>Click Headers to Sort</strong>";
	echo "<table border='0' align='center' bgcolor='#999969' cellpadding='3' bordercolor='#000000' table class='sortable' table id='results'> 
<tr>
<th> Title </th> 
<th> Rent </th>
<th> Bed </th>
<th> Bath </th>
<th> Contact </th> 
<th> Office </th> 
<th> Phone </th> 
</tr>";

while ($row = mysql_fetch_array($sql)){
echo "<tr>
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>
		   <a href='classified/searchapts/index.php?id=".$row['id']."'>" . $row['title'] . "</a></td>
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['rent'] . "</td>
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['rooms'] . "</td>
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['bath'] . "</td>
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['contact'] . "</td> 
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['office'] . "</td> 
		<td bgcolor='#FFFFFF' style='color: #000' align='center'>" . $row['phone'] . "</td> 
</tr>"; 

}
echo "</table>"; 
			
	print_r($apts)

?>

Open in new window

Avatar of double_helix
double_helix
Yes and no...
mysql_real_escape_string does escape special character strings such as \x00, \n, \r, \, ', " and \x1a. Although there are other ways a user can hack into your system using SQL injection.

One of the best ways to protect yourself against SQL injection attacks is to use prepared statements with parameters, but before you even get to the database, you can filter the input itself (in this case the search string).

One simple way of doing that would be as follows:
  
$search = preg_replace('/[^\w\'\" ]/i', '', $_POST['search']);

Open in new window

The above regular expression will REMOVE any characters that are not Alphanumeric, space or quotes (as commonly used in searches). Any other character you can think of (such as <, >, (, ), ;, = etc) as may be used in XSS attacks are stripped out.

You can easily add more safe characters to this list if you require, like hyphen, plus comma, period etc... (/[^\w\'\"\-\+\,\. ]/i), however the more accurate you are with your filtering, the safer you will be.

This together with the mysql_real_escape_string function give you a reasonably safe query string to work with.

Hope this helps...
Avatar of genesisvh
genesisvh

ASKER

Thank you for the response but I would like the user to search emails, and phone numbers. When I implemented this I wasn't able to search for both. I guess I will need the @,- and space so one can do the search. How can I modify the above code to search for emails and phone numbers? Thanks
ASKER CERTIFIED SOLUTION
Avatar of double_helix
double_helix
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of genesisvh
genesisvh

ASKER

Thanks
Avatar of genesisvh
genesisvh

ASKER

Thanks for your help double_helix!