Quote:
Originally Posted by mikewertheim
You should use it on every page that allows the user to type in information that will be stored in the database.
|
Quote:
Originally Posted by ScriptMan
Only if the searches are entered into the DB. Injection happens mostly when you others enter data. Reading poses minimal problems if any.
|
The search query will naturally need to be used in a query against the database to perform the search, whether it's SELECT or INSERT is really quite irrelevant, it's subject to injection as long as you use user input in a query.
Quote:
Originally Posted by yy885
em...so basically it will be on every pages as I have a search box on every pages...
|
Indeed. You should use an abstraction layer for your SQL queries though, so it's not any work if done properly from the start. If you don't have that the easy way is to make a file such as this:
PHP Code:
<?php
function escape($var) {
// here you can check the type or specific keys or whatever you want but generally just this is sufficient so secure it for usage in queries:
return mysql_real_escape_string($var); // again, you shouldn't really use static mysql_ functions but switch to an abstraction layer
}
$_POST = array_map('escape', $_POST);
$_GET = array_map('escape', $_GET);
?>
You can then include that file (say, escape.php) in all files and you'll be set. That will escape any and all user input - if you have input you don't want to escape for some reason or another remove the array_map and escape() manually per variable.
edit: speaking of includes, why do you have the search in multiple files? Just put it in a search-widget.php or whatever and include that file where it's supposed to be.
Linear Mode
