tags:

views:

46

answers:

2
Q: 

Question about Security in a live search field

This is an odd question. I have a friend who is working on an application. There is a table with 4 fields that holds a word and a definition among some other things. On a website there is a textbox in which a user can enter a string and the database is queried and looks for similar content while the string is being entered in the box. (A live search sort of thing).

Is there a security risk if whatever is being written is not actually being submitted like your regular site search? How would you validate the content at this time using regular expressions or the like?

As far as I know its being written in PHP and Javascript. Would you just have the Javascript validate before querying? or is it even necessary?

Thanks in advance! : )

+2  A: 

There is always an inherent risk of malicious user input in regards to database queries. Take a quick look at this quick SQL Injection wikipedia entry to familiarize yourself with the topic.

If you're paranoid, you could whitelist characters in PHP using preg_replace() to remove any non-matching characters prior to querying.

You should, with few exceptions, be using mysql_real_escape_string() on any and all user supplied variables being used in the query. Exceptions include decimal values which you can typecast using (int), (float), etc.

As long as you aren't using javascript to display the search text elsewhere on the page after submission of the input text, you shouldn't need to do anything in regards to cross-site scripting (XSS) prevention.

cballou  2009-10-28 23:17:37
Thanks for the answer!
bob  2009-10-28 23:44:24
PDOStatement > PDO::quote > mysql_real_escape_string
 2009-10-29 00:03:47
+1  A: 

From what I gather, you're talking about the autocomplete pattern.

For web applications, this is most commonly achieved with AJAX. And since AJAX is just out-of-turn HTTP messaging, the data sent with AJAX requests is subject to all the same pitfalls and security holes that the content of any other HTTP request are - SQL Injection, packet sniffing, etc.

So yes, you definitely want to apply the appropriate security measures on the backend.

Does that answer your question?

Peter Bailey  2009-10-28 23:18:51
I think he's vaguely aware that there are security risks, but his question also included how to address those risks
Justin Johnson  2009-10-28 23:32:58
thanks for the link and this answer helped as well!
bob  2009-10-28 23:36:54

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL