1Unreal
07-11-2009, 03:11 AM
I'm making an ajax autocomplete search and I want to make sure the server side is safe.
Is there anything wrong with this?
<?php
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~ E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'ajax_search');
define('CSRF_PROTECTION', true);
define('LOCATION_BYPASS', 1);
define('NOPMPOPUP', 1);
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once ('./global.php');
$vbulletin->input->clean_gpc('r', 'q', TYPE_STR);
$query = $_REQUEST['q'];
if(strlen($query) >= 3){
$results = $vbulletin->db->query_read("SELECT `query` FROM `search` WHERE `query` LIKE '$query%' LIMIT 1");
$result = $vbulletin->db->fetch_array($results);
echo $result[query];
}
?>
Is there anything wrong with this?
<?php
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~ E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'ajax_search');
define('CSRF_PROTECTION', true);
define('LOCATION_BYPASS', 1);
define('NOPMPOPUP', 1);
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once ('./global.php');
$vbulletin->input->clean_gpc('r', 'q', TYPE_STR);
$query = $_REQUEST['q'];
if(strlen($query) >= 3){
$results = $vbulletin->db->query_read("SELECT `query` FROM `search` WHERE `query` LIKE '$query%' LIMIT 1");
$result = $vbulletin->db->fetch_array($results);
echo $result[query];
}
?>