Home/ Questions/Q 5995731
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T00:00:09+00:00

I have a PHP search suggestion script which uses MySQL as its back-end. I

  • 0

I have a PHP search suggestion script which uses MySQL as its back-end. I am aware there are many vunerabilities in my code, I was just wondering what I can do to make it more secure.

Here is my code:

<?php
$database=new mysqli('localhost','username','password','database');
if(isset($_POST['query'])){
    $query=$database->real_escape_string($_POST['query']);
    if(strlen($query)>0){
        $suggestions=$database->query(
            "SELECT * FROM search WHERE name LIKE '%" . $query .
             "%' ORDER BY value DESC LIMIT 5");
        if($suggestions){
            while($result=$suggestions->fetch_object()){
                 echo '<a>'.$result->name.'</a>';                       
            }
        }
    }
}
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Actually there aren’t, considering you are escaping the only external value in the SQL

    Anyway I suggest you to use PDO::prepare for queries. Go here for further infos

    http://it.php.net/manual/en/pdo.prepare.php

    Example:

    $sth = $dbh->prepare('SELECT * FROM article WHERE id = ?');
$sth->execute(array(1));
$red = $sth->fetchAll();
    • 0