Home/ Questions/Q 692309
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T02:38:14+00:00

I’ve read various sources but I’m unsure how to implement them into my code.

  • 0

I’ve read various sources but I’m unsure how to implement them into my code. I was wondering if somebody could give me a quick hand with it? Once I’ve been shown how to do it once in my code I’ll be able to pick it up I think! This is from an AJAX autocomplete I found on the net, although I saw something to do with it being vulnerable to SQL Injection due to the ‘%$queryString%’ or something? Any help really appreciated!

if ( isset( $_POST['queryString'] ) )
{
  $queryString = $_POST['queryString'];
  if ( strlen( $queryString ) > 0 )
  {
    $query = "SELECT game_title, game_id FROM games WHERE game_title LIKE '%$queryString%' || alt LIKE '%$queryString%' LIMIT 10";
    $result = mysql_query( $query, $db ) or die( "There is an error in database please contact support@laglessfrag.com" );
    while ( $row = mysql_fetch_array( $result ) )
    {
      $game_id = $row['game_id'];
      echo '<li onClick="fill(\'' . $row['game_title'] . '\',' . $game_id . ');">' . $row['game_title'] . '</li>';
    }
  }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The injection vulnerability is that you’re passing user supplied data straight into a query without sanitizing it. In particular, this line is problematic:

    $queryString = $_POST['queryString'];

    If you use the function mysql_real_escape_string() around $_POST['queryString'], that will prevent users from being able to insert their own code.

    $queryString = mysql_real_escape_string($_POST['queryString']);
    • 0