StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhere can in insert mysql_real_escape_string in here? And how to prevent html from being entered?
text
Body
copied!<p>I have a php/mysql db search. When I search for html code, like /hr> tags it alters the page and creates /hr>'s. I'd like to also protect this from sql injection but I don't know how. </p> <p>Can I add the real escape string somewhere? or no?</p> <pre><code><form action='trytosearch.php' method='GET'> <center> <h1>My Search Engine</h1> <input type='text' size='90' name='search'></br></br> <input type='submit' name='submit' value='Search here' ></br></br></br> </center> <?php $button = $_GET ['submit']; $search = $_GET ['search']; if(!$button) echo "you didn't submit a keyword"; else { if(strlen($search)<=1) echo "Search term too short"; else{ echo "You searched for <b>$search</b> <hr size='1'></br>"; mysql_connect("localhost","me_abc","pass"); mysql_select_db("table"); $search_exploded = explode (" ", $search); foreach($search_exploded as $search_each) { $x++; if($x==1) $construct .="keywords LIKE '%$search_each%'"; else $construct .="AND keywords LIKE '%$search_each%'"; } $construct ="SELECT * FROM listoga_db WHERE $construct"; $run = mysql_query($construct); $foundnum = mysql_num_rows($run); if ($foundnum==0) echo "Sorry, there are no matching result for <b>$search</b>.</br>"; else { echo "$foundnum results found !<p>"; while($runrows = mysql_fetch_assoc($run)) { $title = $runrows ['title']; $desc = $runrows ['description']; $link = $runrows ['link']; echo " <a href='$link'><b>$title</b></a><br> "; } } } } ?> </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload