-3

i was trying to make a custom search engine and secure it from sql injection, but there is a part in my code that its making a change in the user provided input that doesn’t let me use the mysql_fix_string function. here I’ll get the User input

 <?php 
 include "conn.php";
 $search=$_GET['search']

then i save it like this :

$search='%'.$search.'%';

i used this "'.$search.'" statement in all of my queries :

switch ($radio){
    case "author":
    $sql_author = 'SELECT * FROM classics WHERE author LIKE "'.$search.'"';
    $stm_good= $conn->query($sql_author);
    break;

i'm not sure what dose '%'.$search.'%'; is doing to my input , but when i change my queries to just $search the whole search engine will not work . and when i use this '%'.$search.'%'; i can’t secure my input from sql injections with the mysql_fix_string function , when i do it doesn’t return any search results just a blank page That’s why i think this '%'.$search.'%' code is the problem so if you know any thing about what dose '%' do to my code please tell me i did a lot of research i couldn’t find something that explains it . all guidance are appreciated

Your Common Sense
  • 154,967
  • 38
  • 205
  • 325
zanshan
  • 1
  • 1
  • We don't know what mysql_fix_string does but there is only one way to reliably prevent sql injection which is to use prepared statements and parameters. Any other method is likely to retain vulnerabilities. – ADyson May 06 '22 at 06:52
  • 1
    It seems you asked this question already and got many answers. It's no use asking again because you won't get any other answer. It remains the same. – Your Common Sense May 06 '22 at 06:52
  • 1
    dose `'%'` is how [mysql LIKE](https://www.google.com/search?q=mysql+like) works. mysql_fix_string should be never used. Use prepared statements instead. – Your Common Sense May 06 '22 at 06:55

0 Answers0