Safety PHP

[Determ]

Moin Moin dr. Friends,

have a Question about Safety in PHP.

<?php
error_reporting(E_ALL);
//echo "<pre>\n";
//var_dump($_POST);
//echo"</pre>\n";

if (empty($_POST['cen'])){
echo "Keine Eingabe/No Input back to <a href=cen.php> entry</a>";
}else {
echo "Welcome you have\n";

$link = mysql_connect("", "", "");
mysql_select_db("Norm");

$auswa = "select * from cen where Norm like '%$cen%' or KurzEN like '%$cen%' Limit 0,9";
$sar = mysql_db_query("Norm", $auswa);
$nam = mysql_num_rows($sar);

$result = mysql_query($auswa) or die("Fehler0 / Error");
$num =mysql_num_rows($result);

$query = "SELECT
cen.Norm,
cen.Year,
cen.KurzEN,
cen.Reference,
cen.Comm,
cen.Code,
cen.ISO,
cen.other,
cen.Files,
iso.Norm as Stand,
iso.Year as Jahr,
iso.KurzISO,
iso.Reference as refer,
iso.Code as cde,
iso.Files,
enstand.Designation,
enstand.Comments
FROM cen
left join enstand on (cen.Norm = enstand.Designation)
LEFT JOIN iso ON (cen.ISO = iso.Norm)
WHERE
cen.Norm LIKE '".$_POST['cen']."' or cen.KurzEn like '".$_POST['cen']."'
ORDER BY cen.Norm ASC LIMIT 0,5";


$result1 = mysql_query($query) or die("Fehler1 / Error");

this Part works verry fine. But what we can make more safety for Injection.

The Problem is that People can give a Number (12345 or Bicycle as Word) in the Form in.
I self try mysql_real_escape take some Views to Prepared Statements, but it´s not so right
for this Script.

If you have maybe some Ideas or Help, let me know your Opinion.
Sory write a long Time no more so mutch in english

Greetings and a nice Weekend

 

[jpadie]

escape all variables used in the sql queries by using mysql_real_escape_string().

 

[jay8abear]

another note is that the "mysql" library is deprecated as of PHP 5.5.0 in favor of the new "mysqli" library. You should update your code to reflect this.
Take a look:

http://www.php.net/manual/en/intro.mysql.php

 

[jpadie]

deprecated, yes... 'new' .... no.

but i suspect that it won't be dropped for quite a while as (i) in all my tests, for typical website queries, mysql is at least as fast as mysqli, and not as processor intensive; and (ii) doing so would break backwards compatiblity for so many thousands of websites that people will stick on earlier versions of php; which would in turn not be in the best interests of the wider php community and hosts etc.

that said, I'm all for updating code for reasons of portability so i'd recommend using pdo or some other abstraction layer.

 

[Determ]

Moin Moin dr. Friends,

thanks for all Answers. We take for this Time the >> mysql_real_escape <<.
That what jpadie wrote, some Parts (Working with a Database) have a old XAMMP, Moves
and we need this Form.
Maybe the next Generation become the new Part.

Nice Day and 73 for now