This is an odd question. I have a friend who is working on an application. There is a table with 4 fields that holds a word and a definition among some other things. On a website there is a textbox in which a user can enter a string and the database is queried and looks for similar content while the string is being entered in the box. (A live search sort of thing).
Is there a security risk if whatever is being written is not actually being submitted like your regular site search? How would you validate the content at this time using regular expressions or the like?
As far as I know its being written in PHP and Javascript. Would you just have the Javascript validate before querying? or is it even necessary?
Thanks in advance! : )
There is always an inherent risk of malicious user input in regards to database queries. Take a quick look at this quick SQL Injection wikipedia entry to familiarize yourself with the topic.
If you’re paranoid, you could whitelist characters in PHP using preg_replace() to remove any non-matching characters prior to querying.
You should, with few exceptions, be using mysql_real_escape_string() on any and all user supplied variables being used in the query. Exceptions include decimal values which you can typecast using (int), (float), etc.
As long as you aren’t using javascript to display the search text elsewhere on the page after submission of the input text, you shouldn’t need to do anything in regards to cross-site scripting (XSS) prevention.