keyword search is exposing database.inc file what can I do?

[rskuse]

Hi,

I have a site up on the net that is a resource for all things technical!! It lists hundreds of IT related companies that are available for search using two drop down lists.
I have recently added a very simple keyword search (I'm a newbie and this is my first site using PHP and MySQL)
I am using the following code:

<table width=80% align=center>

<?php
mysql_pconnect('localhost','root','');
mysql_select_db('gmarch_support');

$result = mysql_query(&quot;SELECT * FROM keyit WHERE comment LIKE '%{$_REQUEST['search']}%' or

company LIKE '%{$_REQUEST['search']}%' or type LIKE '%{$_REQUEST['search']}%' order by

company LIMIT 0,10&quot;

if(mysql_num_rows($result) == 0) {

echo 'Sorry, no results were found';

} else {

while($row = mysql_fetch_row($result)) {

$akey = $row[0];
$company = $row[1];
$type = $row[2];
$web = $row[3];
$comment = $row[4];

echo &quot;<tr><td><a href='$web'><font size=2 face=Verdana, Arial, Helvetica, sans-serif

color=#003366><b>$company</b></font></a></td></tr>&quot;;

echo &quot;<tr><td><font size=2 face=Verdana, Arial, Helvetica, sans-serif

color=#003366>$comment</font></td></tr>&quot;;


}
}
?>

</table>

At first this appears to work fine but when testing it I typed in &quot;software&quot; without the quotes and the first result is not a company (as it should be) but a string of text.
If you click on this you get a directory listing of our search directory which exposes our database.inc file so our db password!
This only happens when searching using keyword software.

For now I have placed an index.html file in the search directory to stop this until I can fix the problem.

The page can be viewed on the web at:

http://www.keyitskills.co.uk/search.php

Can anyone tell me why this is happening?
I'm very confused!!

Thankyou,

Rachel

 

[IronOrchid]

This isn't going to solve your problem, but I recommend using a .php extension on your .inc files. Generally I use .inc.php as this still shows me it's an included file, but the .php will keep people from seeing the contents should bugs like this arise.

Best of luck with this.

http://www.ironorchid.com

 

[fxcolin]

Hmmm,

I typed in some keywords, such as web, computer etc.

Results seem to be fine
Have you done a search in the database ?
to find this entry ?

BTW on the results page the left nav are broken links.

Hm, maybe you're updating the site now, 'cause now I'm getting no results


Later, Skater

http://www.fxstudios.ca

http://www.chefmedia.ca

 

[rskuse]

Thanks for your replies guys.

I will use a .inc.php file from now on for my include files.

As a last resort to my directory problem, I logged on to my hosts account and found that group priveleges are enabled and that my files and directories are world readable. The account was set up by the company I work for so I had no idea. I am in the process now of changing all the priveleges - what a nightmare!!

Thanks again,

Rach