[Mediawiki-l] Simple search hack problems
Brion Vibber
brion at pobox.com
Fri Sep 24 18:57:04 UTC 2004
On Sep 24, 2004, at 1:08 PM, Moonlight Embrace wrote:
> I'm using this line in searchengine.php
>
> mysql_query("INSERT INTO wsearch (usersearch) VALUES
> ('".$_REQUEST['search']."')") or die(mysql_error());
>
> however, I'm confused as where to put it, either i get just search
> querys and not the "go"s or I get a No Database Selected error.
Rather than mysql_query directly, try the wfQuery() wrapper function;
this will make sure the database connection is set up before sending
the query.
Also, as written you're open to SQL injection attacks. Never stick
strings directly into SQL; wrap it in an escaping function (eg the
wfStrencode() wrapper function).
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20040924/8313e6f8/attachment.pgp
More information about the MediaWiki-l
mailing list