Home/ Questions/Q 7021177
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:24:57+00:00

This is my current code as it stands $search=$_GET[Search]; $search = addcslashes(mysql_real_escape_string($search), ‘%_’); THIS

  • 0

This is my current code as it stands

$search=$_GET["Search"];
$search = addcslashes(mysql_real_escape_string($search), '%_');

THIS CODE WAS GENERATED BY DREAMWEAVER CS4 FROM HERE ON

if (!function_exists("GetSQLValueString")) {
    function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
    {
      if (PHP_VERSION < 6) {
        $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
      }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

mysql_select_db($database_Echos, $Echos);

SQL Satement that Querys the db

$query_Recordset1 = "SELECT catelogue.ARTIST, catelogue.TITLE, catelogue.`CAT NO.`, catelogue.FORMAT, catelogue.`IMAGE PATH` FROM catelogue WHERE catelogue.TITLE LIKE '%$search%'";

More Dremweaver code

 $Recordset1 = mysql_query($query_Recordset1, $Echos) or die(mysql_error());
    $row_Recordset1 = mysql_fetch_assoc($Recordset1);
    $totalRows_Recordset1 = mysql_num_rows($Recordset1);

After this the data gets displayed in a table format

I’m still new to this all and in recent days have found out that you can put staements into my search term and destroy 8 months of database work. It’s not like the db isn’t backed up but I’d like to rather be safe then sorry.

I have read that a prepared statement is the best way to stop this How can I prevent SQL injection in PHP?.

But as I said I’m new to this and have very little understanding of this.

So Simple put is my code that DW created safe enough

Are there things that should change to make it simpler

And if it’s not safe enough how do I make it safer?

Do I use a prepared staement here? If so can someone please explain how to use it here

Please any help would be much appreciated

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your code is suffering from a lot of bad practices, but it isn’t totally insecure or totally bad as the usual pieces of PHP code I’m used to seeing.

    To put it in simple terms – you don’t want to use PHP’s mysql_ functions. What you should do is use PDO.

    mysql_real_escape_string is safe but not 100%. For better explanation refer to the link that explains when mysql_real_escape_string is vulnerable.

    So what you would do is create prepared statements with PDO and then you bind the input values. PDO cleans them according to the character set and database being used, which makes it 100% safe and without worrying whether you missed out on something or not.

    • 0