0

Hey all, I made a textbox which autocompletes input by getting stuff from a database and it works like this now:

<script type="text/javascript">
$().ready(function() {
    $("#food").autocomplete("get_course_list.php", {
        width: 260,
        cacheLength: 10,
        matchContains: false,

        //mustMatch: true,
        //minChars: 0,
        //multiple: true,
        //highlight: false,
        //multipleSeparator: ",",
        selectFirst: true

    });
});
</script>

and this in the .php file:

<?php
require_once "config2.php";
$q = strtolower($_GET["q"]);
if (!$q) return;

$sql = "select DISTINCT voedsel as voed from voedingswaarden where voedsel LIKE '%$q%'";
$rsd = mysql_query($sql);
while($rs = mysql_fetch_array($rsd)) {
    $cname = $rs['voed'];
    echo "$cname\n";
}
?>

But now i read about sql injections etc so I wanted to protect my php script against that with mysql_real_escape_string(); but I can't seem to get it to work. Any ideas how to implement this in my .php file and if this is enough protection?

Improve this question
3
  • but I can't seem to get it to work. - how did you try? Commented Jan 16, 2011 at 15:35
  • I tried something like $q = strtolower($_GET["q"]); and then $q2 = mysql_real_escape_string('$q') and than use $q2 in the rest of the code. However then the autocomplete function wouldn't work anymore. Commented Jan 16, 2011 at 15:42
  • i think you just forgot to change variable name from $q to $q2. While it was unnecessary to use invent another variable. One is enough. Anyway it's just lack of attention, not some knowledge. Commented Jan 16, 2011 at 15:49

2 Answers 2

Reset to default
1 
$q = strtolower($_GET["q"]);

becomes

$q = mysql_real_escape_string(strtolower($_GET["q"]));

your connection to the db must be established and there must be only one link, but that is the case otherwise your mysql_query wouldnt work correctly.

the code is not very elegant but it'll work.

you may want to change that:

if (!$q) return;

to

if (strlen($q) == 0) return;
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

thanks, this works like a charm! about the last part, is that: first it checks if there is any string at all, and the second checks of there is a string with length 0? Why exactly is the last one better? (I'm trying to learn :)) and b.t.w is this enough protection against sql injections right now?
@Javaaaa it's enough for this very code, but it will fail somewhere else.
what do you mean with somewhere else exactly?
for example if you use some wrappers for mysql or connection libraries, have multiple database connections etc.
@Javaaaa if your query goes to be SELECT voedsel FROM voedingswaarden WHERE id = $id it will fail to protect
|
0

I have said this before but I think mysql_real_escape_string() should be depecrated and you should use PDO instead.

“PDO – PHP Data Objects – is a database access layer providing a uniform method of access to multiple databases.”

PDO is the new improved way to talk to your database. PDO has prepared statements which make your website faster/safer because:

A prepared statement is a precompiled SQL statement that can be executed multiple times by sending just the data to the server. It has the added advantage of automatically making the data used in the placeholders safe from SQL injection attacks.

Improve this answer

2 Comments

it cannot make your site faster though
I am (almost) certain it makes your site faster because the queries are precompiled!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.