How to Stop Inappropriate Contents to Insert in Database (PHP)

Hi,

Created a website for my client https://www.jeenmount.com/ and client need to see what people searching for on his site. So we are inserting each search in database or increase number of search if Key already exist there.

My issue is inappropriate search like below

">alert(String.fromCharCode(88,83,83))
place for destination wedding'A=0
pink city mall in jaipur" or (1,2)=(select*from(se
pink city mall in jaipur99999' union select unhex(
heritage wedding resort hotel jaipur" and "x"="y
heritage wedding resort hotel jaipur and 1>1

I think this types of search are doing by Bots or any other things.

What i am looking for is ...... If search queries are with these types of strings or inappropriate characters then either clear code and adjust in proper format or avoid to insert in database.

Please help us that how can we do that.

Using already "mysql_real_escape_string" "htmlspecialchars" for security but unable to stop inappropriate contents to insert in database.

Hope for quick response.

 

Most of these are hack codes bro.

Like that alert javascript search.

They are hoping that if you echo/print the search term on a webpage, then that javascript code will get executed in browser.
Some websites show "recent/popular searches" to their website visitors, and they show the search term on website.
So that alert code will come out as a search term from database, and when you will echo/print it, the code will get executed in browser.
I think this one is made to show an ad for that wedding hall to all your website visitors...
However, <script> </script> is missing, so it won't get executed, but will look bad.

That other one, with "select query", that is trying to execute a query to your database.
That is failing because of your escaping the string before sending it to database.

That "&1>1" is also hack code.

Do a strip_tags($input) on the search term before sending it to database.
That removes all html, so that javascript code will get removed, or at least will become harmless.

Normally, for something like this, I replace all garbage characters in the input, so only english alphabets and numbers can go as search term.

Secondly, limit the max length that can be seen as verified search term.
Like:

<?php

$term = $_POST['term'];

//remove html from term
$term= trim(strip_tags($term));

//make sure user submitted something, and its not just empty $term
if( strlen($term)>2 ){

//take only fixed length from search term, like first 8 chars
$term= substr($term, 0, 8);

$term= addslashes($term);
//you can use real escape here instead of addslashes, does same thing.
//or you can use PHP's new sanitize, also does the same thing what addslashes does.

$sql= "select field1, field2 from tableName where field like '%$term%' limit 10 ";

//execute query, display result etc etc

//if result was found, only then add search term to database.
//no point adding a search term which has no results...

}//strlen check for $term ends
?>

Another option is, make a large file of expected spam words,
check the submitted search term against those spam words.
If found, then ignore the search query.
Like:

<?php

$spam=array( 'alert', 'select', 'union', '1>1' );

$term= addslashes(trim(strip_tags($_POST['term'])));

foreach( $spam as $word ){
if( strpos( strtolower($term), $word ) !== false ){
//spam word found, ignore or do whatever
}
}


?>