Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Wikipedia>
  3. Mediawiki
Simple search hack problems
moonlightembrace at acadine
Sep 24, 2004, 1:08 PM
Post #1 of 2 (411 views)
Permalink
I'm using this line in searchengine.php

mysql_query("INSERT INTO wsearch (usersearch) VALUES ('".$_REQUEST['search']."')") or die(mysql_error());

however, I'm confused as where to put it, either i get just search querys and not the "go"s or I get a No Database Selected error.

-Moonlight Embrace
Re: Simple search hack problems [ In reply to ]
brion at pobox
Sep 24, 2004, 11:57 AM
Post #2 of 2 (388 views)
Permalink
On Sep 24, 2004, at 1:08 PM, Moonlight Embrace wrote:
> I'm using this line in searchengine.php
>
> mysql_query("INSERT INTO wsearch (usersearch) VALUES
> ('".$_REQUEST['search']."')") or die(mysql_error());
>
> however, I'm confused as where to put it, either i get just search
> querys and not the "go"s or I get a No Database Selected error.

Rather than mysql_query directly, try the wfQuery() wrapper function;
this will make sure the database connection is set up before sending
the query.

Also, as written you're open to SQL injection attacks. Never stick
strings directly into SQL; wrap it in an escaping function (eg the
wfStrencode() wrapper function).

-- brion vibber (brion @ pobox.com)

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal