Hello all, i want to know if this is safe, or how can i make this safe if not i am just a begginer at php. $id (is the pagination) $per_page (is how many i want to show) $construct (is table from where i want to select) Thanks. $getquery = mysql_query("SELECT * FROM `videos` WHERE $construct ORDER BY date DESC LIMIT $id, $per_page"); PHP:
Unfortunately, the code you've provided is not enough in order to tell whether it's safe or not. Where do the variables come from? What do they contain? Are they user defined? What I can tell you for sure, is that your code is very old and out-dated. The mysql_* functions are deprecated and should be avoided at all cost. You should switch to a newer, safer, and faster library such as PDO. Take a look at this to get started: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
Thanks for the PDO i will try to do it that way, but i have already allot of pages for this website. I would like to keep this script, do i need to post more code of my script to get help with it ?.
I post the complete script is bether i think. Here below is the first part. <?php $button = $_GET ['submit']; $search = $_GET ['search']; echo " "; include 'extern/connectsearch.php'; $search_exploded = explode (" ", $search); foreach($search_exploded as $funny) { $x++; if($x==1) $construct .="title LIKE '%Funny%'"; else $construct .="AND title LIKE '%Funny%'"; $constructs ="SELECT * FROM videos WHERE $construct"; $run = mysql_query($constructs); $foundnum = mysql_num_rows($run); if ($foundnum==0) echo "Sorry, there are no matching result for <b>$search</b>.</br></br>1. "; $per_page = 36; $id = ($_GET['id']); $max_pages = ceil($foundnum / $per_page); if(!$id) $id=0; $getquery = mysql_query("SELECT * FROM videos WHERE $construct ORDER BY date DESC LIMIT $id, $per_page"); $thumbs = $runrows ['thumbs']; $title = $runrows ['title']; $channel = $runrows ['channel']; $url = $runrows ['url']; $duration = $runrows ['duration']; while($runrows = mysql_fetch_assoc($getquery)) { echo ' '; } echo "<center>"; ?> PHP: And here below is the pagination <?php //Pagination ids echo "<center>"; $prev = $id - $per_page; $next = $id + $per_page; $adjacents = 5; $last = $max_pages - 1; if($max_pages > 1) { //previous button if (!($id<=0)) echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$prev'>Prev</a> </div>"; //pages if ($max_pages < 7 + ($adjacents * 2)) //not enough pages to bother breaking it up { $i = 0; for ($counter = 1; $counter <= $max_pages; $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> "; } else { echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } elseif($max_pages > 5 + ($adjacents * 2)) //enough pages to hide some { //close to beginning; only hide later pages if(($id/$per_page) < 1 + ($adjacents * 2)) { $i = 0; for ($counter = 1; $counter < 4 + ($adjacents * 2); $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> "; } else { echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } //in middle; hide some front and some back elseif($max_pages - ($adjacents * 2) > ($id / $per_page) && ($id / $per_page) > ($adjacents * 2)) { echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=0'>1</a></div> "; echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> "; $i = $id; for ($counter = ($id/$per_page)+1; $counter < ($id / $per_page) + $adjacents + 2; $counter++) { if ($i == $id){ echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>"; } else { echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } //close to end; only hide early pages else { echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=0'>1</a></div> "; echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> "; $i = $id; for ($counter = ($id / $per_page) + 1; $counter <= $max_pages; $counter++) { if ($i == $id){ echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>"; } else { echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> "; } $i = $i + $per_page; } } } //next button if (!($id >=$foundnum-$per_page)) echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$next'>Next</a></div> "; } echo "</center>"; } ?> PHP:
Anything that comes to you from a $_GET or $_POST needs to be cleaned. Run it through the steps suggested in the PDO or get a decent database handler class from somewhere that already has all the good stuff built in. Security is too important - don't feel like it's cheating to use a handler, or like your script doesn't need to be that complicated. If you have a form on your page it will get found and you do run a risk. Hackers don't apply a whole lot of logic about the value of the information they can steal or the impact of their actions.