Moin Moin dr. Friends,
have a Question about Safety in PHP.
<?php
error_reporting(E_ALL);
//echo "<pre>\n";
//var_dump($_POST);
//echo"</pre>\n";
if (empty($_POST['cen'])){
echo "Keine Eingabe/No Input back to <a href=cen.php> entry</a>";
}else {
echo "Welcome you have\n";
$link = mysql_connect("", "", "");
mysql_select_db("Norm");
$auswa = "select * from cen where Norm like '%$cen%' or KurzEN like '%$cen%' Limit 0,9";
$sar = mysql_db_query("Norm", $auswa);
$nam = mysql_num_rows($sar);
$result = mysql_query($auswa) or die("Fehler0 / Error");
$num =mysql_num_rows($result);
$query = "SELECT
cen.Norm,
cen.Year,
cen.KurzEN,
cen.Reference,
cen.Comm,
cen.Code,
cen.ISO,
cen.other,
cen.Files,
iso.Norm as Stand,
iso.Year as Jahr,
iso.KurzISO,
iso.Reference as refer,
iso.Code as cde,
iso.Files,
enstand.Designation,
enstand.Comments
FROM cen
left join enstand on (cen.Norm = enstand.Designation)
LEFT JOIN iso ON (cen.ISO = iso.Norm)
WHERE
cen.Norm LIKE '".$_POST['cen']."' or cen.KurzEn like '".$_POST['cen']."'
ORDER BY cen.Norm ASC LIMIT 0,5";
$result1 = mysql_query($query) or die("Fehler1 / Error");
this Part works verry fine. But what we can make more safety for Injection.
The Problem is that People can give a Number (12345 or Bicycle as Word) in the Form in.
I self try mysql_real_escape take some Views to Prepared Statements, but it´s not so right
for this Script.
If you have maybe some Ideas or Help, let me know your Opinion.
Sory write a long Time no more so mutch in english
Greetings and a nice Weekend
have a Question about Safety in PHP.
<?php
error_reporting(E_ALL);
//echo "<pre>\n";
//var_dump($_POST);
//echo"</pre>\n";
if (empty($_POST['cen'])){
echo "Keine Eingabe/No Input back to <a href=cen.php> entry</a>";
}else {
echo "Welcome you have\n";
$link = mysql_connect("", "", "");
mysql_select_db("Norm");
$auswa = "select * from cen where Norm like '%$cen%' or KurzEN like '%$cen%' Limit 0,9";
$sar = mysql_db_query("Norm", $auswa);
$nam = mysql_num_rows($sar);
$result = mysql_query($auswa) or die("Fehler0 / Error");
$num =mysql_num_rows($result);
$query = "SELECT
cen.Norm,
cen.Year,
cen.KurzEN,
cen.Reference,
cen.Comm,
cen.Code,
cen.ISO,
cen.other,
cen.Files,
iso.Norm as Stand,
iso.Year as Jahr,
iso.KurzISO,
iso.Reference as refer,
iso.Code as cde,
iso.Files,
enstand.Designation,
enstand.Comments
FROM cen
left join enstand on (cen.Norm = enstand.Designation)
LEFT JOIN iso ON (cen.ISO = iso.Norm)
WHERE
cen.Norm LIKE '".$_POST['cen']."' or cen.KurzEn like '".$_POST['cen']."'
ORDER BY cen.Norm ASC LIMIT 0,5";
$result1 = mysql_query($query) or die("Fehler1 / Error");
this Part works verry fine. But what we can make more safety for Injection.
The Problem is that People can give a Number (12345 or Bicycle as Word) in the Form in.
I self try mysql_real_escape take some Views to Prepared Statements, but it´s not so right
for this Script.
If you have maybe some Ideas or Help, let me know your Opinion.
Sory write a long Time no more so mutch in english
Greetings and a nice Weekend