Hello, i want to make this script safe, and i need a litle bit of help i just found online about.. htmlentitties - mysql_real_escape_tring and preg_split could somebody explain me where to place them, or if i need to make some changes to make i easy or bether.. Any help would be appreciated <?php include 'extern/connect.php'; $categories = file_get_contents('extern/categories.php'); $footer = file_get_contents('extern/footer.php'); $logo = file_get_contents('extern/logo.php'); $report = file_get_contents('extern/report.php'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="keywords" content="//////" /> <meta name="description" content="/////" /> <title>///////<title> <link rel="shortcut icon" href="images/favicon.ico" /> <link rel="stylesheet" type="text/css" href="/css/style.css" /> <!--[if IE]> <link rel="stylesheet" type="text/css" href="/css/ie-style.css" /> <![endif]--> <script type="text/javascript" src="extern/stats.js" ></script> <script type='text/javascript' src='ajax/jquery-1.8.1.js'></script> <script type="text/javascript"> $(document).ready(function(){ $('._bxn').click(function(){ var file_id = $(this).attr('id'); $.ajax({ type: "POST", url: 'ajax/count.php', data: 'file_id=' + file_id }); }); }); </script> </head> <body> <div id="container"> <div id="header"> <div class="img"><?php echo $logo; ?></div> <div id="form"> <form action='search.php' class='form-srch sr' method='GET'> <input type='text' name='search' placeholder='Search here...' required> <button type='submit' name='submit'>Search</button> </form> </div> </div> <div id="categories"> <?php echo $categories; ?> </div> <?php $button = $_GET ['submit']; $search = $_GET ['search']; echo "<div id='containerbartop'> <div id='dateadded'>Watch funny videos <b>$search</b> </div> <div id='populair'><a href='populair.php'>Populair</a></div></div><div id='thumbcontainer'><ul class='mainv'>"; include 'extern/connectsearch.php'; $search_exploded = explode (" ", $search); foreach($search_exploded as $funny) { $x++; if($x==1) $construct .="title LIKE '%funny%'"; else $construct .="AND title LIKE '%funny%'"; $constructs ="SELECT * FROM videos WHERE $construct"; $run = mysql_query($constructs); $foundnum = mysql_num_rows($run); if ($foundnum==0) echo "Please try something else"; $per_page = 36; $id = $_GET['id']; $max_pages = ceil($foundnum / $per_page); if(!$id) $id=0; $getquery = mysql_query("SELECT * FROM videos WHERE $construct ORDER BY date DESC LIMIT $id, $per_page"); $thumbs = $runrows ['thumbs']; $title = $runrows ['title']; $channel = $runrows ['channel']; $url = $runrows ['url']; $duration = $runrows ['duration']; while($runrows = mysql_fetch_assoc($getquery)) { echo '<li class="thumbcontent"><a href="'. $runrows['url'] .'" class="_bxn" id="'. $runrows['id'] .'" target="_blank"><img src="'. $runrows['thumbs'].'" class="thumb" name="'. $runrows['title'] .'" alt="'. $runrows['title'] .'" title="'. $runrows['title'] .'" width="240" height="180" /> </a><span class="thumbreport"><a href="raport.php?url= '. $runrows['url'] .'&thumb='. $runrows['thumbs'] .'&title='. $runrows['title'] .' " target="_blank">Report</a></span><span class="duration">'. $runrows['duration'].'</span><span class="out"><a href="'. $runrows['exlink']. '">'. $runrows['ex'] .'</a></span></li> '; } echo "<center>"; ?> </ul> </div> <div id="containerbarbottom"> <?php //Pagination ids echo "<center>"; $prev = $id - $per_page; $next = $id + $per_page; $adjacents = 5; $last = $max_pages - 1; if($max_pages > 1) { //previous button if (!($id<=0)) echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$prev'>Prev</a> </div>"; //pages if ($max_pages < 7 + ($adjacents * 2)) //not enough pages to bother breaking it up { $i = 0; for ($counter = 1; $counter <= $max_pages; $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> "; } else { echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } elseif($max_pages > 5 + ($adjacents * 2)) //enough pages to hide some { //close to beginning; only hide later pages if(($id/$per_page) < 1 + ($adjacents * 2)) { $i = 0; for ($counter = 1; $counter < 4 + ($adjacents * 2); $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> "; } else { echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } //in middle; hide some front and some back elseif($max_pages - ($adjacents * 2) > ($id / $per_page) && ($id / $per_page) > ($adjacents * 2)) { echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=0'>1</a></div> "; echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> "; $i = $id; for ($counter = ($id/$per_page)+1; $counter < ($id / $per_page) + $adjacents + 2; $counter++) { if ($i == $id){ echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>"; } else { echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } //close to end; only hide early pages else { echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=0'>1</a></div> "; echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> "; $i = $id; for ($counter = ($id / $per_page) + 1; $counter <= $max_pages; $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>"; } else { echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } } //next button if (!($id >=$foundnum-$per_page)) echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$next'>Next</a></div> "; } echo "</center>"; } ?> </div> <div id="reclame"> <iframe src="ifr.html" height="275" width="1050" frameborder="0" scrolling="no"></iframe> </div> <div id="footer"> <?php echo $footer; ?></div> </div> </body> </html> PHP:
Those functions can be used in many places of the code. You can use them for protection and security if that's what you are asking for but if you are a beginner you should use a class for the mysql from the internet which does all the security stuff.
@sorindsd , you can't tell the man to use a class while he's a beginner in the PHP's world. @tasos , mysql_real_escape_string is deprecated (along with the whole mysql extension) since PHP 5.5.x , and will be throwing out E_DEPRECATED warnings. I strongly encourage you to use MySQL Improved or MySQL PDO , they still have the procedural style you're used with (using them like functions). PDO has a parametrize method that automatically escapes the statements avoiding user exploits. Hope it helped.