Forum Moderators: open
I just built a search engine with mysql. And, I am looking for the best ways to protect it from query injections. The database doesn't contain any personal data or anything.. Just plain information, that is easy for me to input on pages.
Though, I still don't want the database messed around with. How can I protect it?
Also, I am going to be working on creating my own CMS system for this database. And, to protect my CMS admin page. I was thinking that I could use a few different login pages into the admin page. Plus, a special code/password that has to be inserted for every form to be processed. Would this be enough protection for my CMS?
Thanks, for any advice.
example' OR '1=1function sanitized($string) {
return "'" . mysql_real_escape_string($string) . "'"
}and then, if the actual search term is stored in $_POST['search']
$search = sanitized($_POST['search']);
$query = "SELECT * FROM databasename WHERE columnname=" . $search;
Also, remember to use SSL for all of your backend admin (this includes phpmyadmin).
Using multiple login pages seems a bit hokey ... but using a login page and also using Apache .htaccess logins might be a good idea (that way people/spiders can't see what's on the login page at all until they get past the standard .htaccess auth, then you have your custom login).
