我有一个php/mysql数据库搜索。当我搜索html代码时,如/ hr>标签会改变页面并创建/ hr>。我也想保护这从sql注入,但我不知道如何。哪里可以在这里插入mysql_real_escape_string?以及如何防止输入html?
我可以在某处添加真正的转义字符串吗?或没有?
<form action='trytosearch.php' method='GET'>
<center>
<h1>My Search Engine</h1>
<input type='text' size='90' name='search'></br></br>
<input type='submit' name='submit' value='Search here' ></br></br></br>
</center>
<?php
$button = $_GET ['submit'];
$search = $_GET ['search'];
if(!$button)
echo "you didn't submit a keyword";
else
{
if(strlen($search)<=1)
echo "Search term too short";
else{
echo "You searched for <b>$search</b> <hr size='1'></br>";
mysql_connect("localhost","me_abc","pass");
mysql_select_db("table");
$search_exploded = explode (" ", $search);
foreach($search_exploded as $search_each)
{
$x++;
if($x==1)
$construct .="keywords LIKE '%$search_each%'";
else
$construct .="AND keywords LIKE '%$search_each%'";
}
$construct ="SELECT * FROM listoga_db WHERE $construct";
$run = mysql_query($construct);
$foundnum = mysql_num_rows($run);
if ($foundnum==0)
echo "Sorry, there are no matching result for <b>$search</b>.</br>";
else
{
echo "$foundnum results found !<p>";
while($runrows = mysql_fetch_assoc($run))
{
$title = $runrows ['title'];
$desc = $runrows ['description'];
$link = $runrows ['link'];
echo "
<a href='$link'><b>$title</b></a><br>
";
}
}
}
}
?>
可能的重复[如何防止SQL注入PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Nanne