Home/ Questions/Q 8648315
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T13:17:06+00:00

If i had a search input not account/password input, do i need to use

  • 0

If i had a search input not account/password input, do i need to use mysql_real_escape_string?
could be sql injection?? $sql just select where limit row

<input type="text" name="search">

include"set.php";
$search=$_POST["search"];
if(strlen($search)) >= $min_length){
    $sql="select * from $tbl where subject or content like '%search%';";
    ..  
}

(mysql: subject and content both ‘text’ type)

if i need to use, i try this but doesnt work. 

include"set.php";
$search=mysql_real_escape_string($_POST["search"]);
if(strlen($search)) >= $min_length){
    $sql="select * from $tbl where subject or content like '%search%';";
    ..
    if(mysql_num_rows($query)>0){
        while ($list= mysql_fetch_array($query)){
            $subject=$list[subject];
            $content=$list[content];
            $...=$list[...];
            print "subject: $subject, ....";
        }
    }
    else{
         print "no results";
    }
}
else{
print "minimum length is". $min_length;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A. It should be $_POST not $_post variable name are case sensitive in PHP

    B. mysql_** Depreciated use mysqli_real_escape_string instead

    FROM PHP DOC

    Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

    C. Its always better to design a search form with $_GET instead so that the URL can easily be saved

    Example 

    $search = filter_var($_GET["search"], FILTER_SANITIZE_STRING , FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
if($search && strlen($search) > 3)
{
    $search = mysqli_real_escape_string($link, $search);
    $sql = sprintf("SSELECT * FROM %s where subject or content like '%s';",$tbl,"%s" . $search ."%s");
}

    D. You would never trust user input and aways validate and filter all the time

    • 0