News:

Want to get involved in developing SMF? Why not lend a hand on our GitHub!

Main Menu

Secure Database Query

Started by [SiNaN], May 12, 2008, 05:43:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

[SiNaN]

May 12, 2008, 05:43:13 AM
I am trying to log the search words and have this query.

Code Select
$insert_word = '"' . addslashes($_POST['search']) . '"';

//Insert it!
db_query("
INSERT IGNORE INTO {$db_prefix}log_search_words
(word)
VALUES ($insert_word)", __FILE__, __LINE__);

I did addslashes. Should I do anything else to make it secure?
Former SMF Core Developer | My Mods | SimplePortal

karlbenson

#1
May 12, 2008, 01:10:53 PM
These
Check its an array, if it is, use the first.
if(is_array($_POST['search']))
   $_POST['search'] = $_POST['search'][0];

stripslashes__recursive(); (smf function to remove preexisting slashes)

strip_tags(); to remove any html

un_htmlspecialchars (to turn prevent double encoding).
$func['htmlspecialchars'](stripslashes($_REQUEST['search']), ENT_QUOTES)
(Note,you'll need access to $func)
(in 2.x thats)
$smcFunc['htmlspecialchars']($_POST['search'], ENT_QUOTES)

Now addslashes back to make it safe to insertion into the db.
Print
Go Up Pages1
User actions
Advertisement: