Prevent SQL injections?

[Guest mony]

I have a simple search code. I was told that a script kiddie.. Or someone with very little knowledge could use the un-protected text box to inject SQL and get into my database. I need to know how to prevent this from happening. I have searched everywhere and found absolutely nothing... Also I can enter tags like <b> or <input type="text" and it executes the html code when I press submit. I know there is a way you can restrict the use of html.. Can someone please help me here?Here is he search script.

<?//connect to mysql//change user and password to your mySQL name and passwordmysql_connect("localhost","user","password"); 	//select which database you want to editmysql_select_db("database"); $search=$_POST["search"];//get the mysql and store them in $result//change whatevertable to the mysql table you're using//change whatevercolumn to the column in the table you want to search$result = mysql_query("SELECT * FROM news WHERE message LIKE '%$search%'");//grab all the contentwhile($r=mysql_fetch_array($result)){	   //the format is $variable = $r["nameofmysqlcolumn"];   //modify these to match your mysql table columns     $title=$r["title"];   $message=$r["message"];   $who=$r["who"];   $date=$r["date"];   $time=$r["time"];   $id=$r["id"];      //display the row   echo "$title <br> $message <br> $who <br> $date | $time <br>";}?>

[jesh]

I generally prevent them by 1) only running stored procedures against the database and 2) converting all of the inputs into the appropriate data types. For example, if I expect a number to be inputted, I will attempt to convert that input to an integer or a float/double, etc before I attempt to access the database with that data.A first step is to simply escape the input so that single quotes (') are escaped (\'). Since you are using PHP, I believe the function you are looking for is mysql_escape_string(). If I'm wrong, I'm sure a PHP expert on here can correct me. :)Wikipedia has a great article on SQL injection. It also describes ways to prevent it:http://www.wikipedia.org/wiki/Sql_injectionGood luck!

[xpriens]

Jesh is right!!! The best possible way to prevent this is by using "Stored Procedures' and also check some articles on "Cross Site Scripting" and "SQL Injection".......these two are the most vulnerable attacks in Websites for SQL.......Typecasting each variable before using it in Query, and also using the Encryptor for transfering data is a good way to get into this.........

[justsomeguy]

As far as the HTML question goes, if you want to remove all tags altogether, PHP has a function called strip_tags that will do that. Or, if you want to display the HTML on your page, so that people see something like <input type... instead of an actual input box, you can use the htmlentities function to convert the HTML characters.echo strip_tags($input);echo htmlentities($input);

[zachninme]

I am using the mysql_escape_string() , and is there any way to strip the "/"s when I get the data back from the DB?

[miffe]

I am using the mysql_escape_string() , and is there any way to strip the "/"s when I get the data back from the DB?

use php replace command for that.I have a question concerning this:As you can insert SQL queries into textboxes when not using mysql_escape_string by terminating the SELECT query in the textbox in some systems... wouldnt it be easier to do a function to check if there is an SQL query written in the textbox and if there is note that this is an attempt at sql injection, notify the user that this is impossible and just not allow login or the function the person is trying?I mean, no idea what I'm saying really... just a thought.