我有一个 php/mysql 数据库搜索。当我搜索 html 代码(如 /hr> 标记)时,它会更改页面并创建 /hr>。我还想保护它免受 sql 注入,但我不知道如何。
我可以在某处添加真正的转义字符串吗?或没有?
<form action='trytosearch.php' method='GET'>
<center>
<h1>My Search Engine</h1>
<input type='text' size='90' name='search'></br></br>
<input type='submit' name='submit' value='Search here' ></br></br></br>
</center>
<?php
$button = $_GET ['submit'];
$search = $_GET ['search'];
if(!$button)
echo "you didn't submit a keyword";
else
{
if(strlen($search)<=1)
echo "Search term too short";
else{
echo "You searched for <b>$search</b> <hr size='1'></br>";
mysql_connect("localhost","me_abc","pass");
mysql_select_db("table");
$search_exploded = explode (" ", $search);
foreach($search_exploded as $search_each)
{
$x++;
if($x==1)
$construct .="keywords LIKE '%$search_each%'";
else
$construct .="AND keywords LIKE '%$search_each%'";
}
$construct ="SELECT * FROM listoga_db WHERE $construct";
$run = mysql_query($construct);
$foundnum = mysql_num_rows($run);
if ($foundnum==0)
echo "Sorry, there are no matching result for <b>$search</b>.</br>";
else
{
echo "$foundnum results found !<p>";
while($runrows = mysql_fetch_assoc($run))
{
$title = $runrows ['title'];
$desc = $runrows ['description'];
$link = $runrows ['link'];
echo "
<a href='$link'><b>$title</b></a><br>
";
}
}
}
}
?>