Search feature in a PHP games script - need help please.

[Domonetise]

I've put an arcade games script on one of my domains. I had to change the code site wide for the script to work. For example: from <?=$siteurl?> to <?php echo $siteurl;?> but i'm stuck with the search feature. For instance, instead of getting the description of the searched game, I get this piece of code displaying: ' . $row['description'] . '

I'm pretty sure it's something simple that someone with PHP experience could figure out, however, I am willing to put my hand in my pocket if the price is right.

The domain is *****. Search for a game, eg: snake, to see the result.

Below is the source code for the search.php file.

<?php

include("config.php");

include("global.php");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title><?php echo $sitename;?></title>

<link rel="stylesheet" type="text/css" href="<?php echo $siteurl;?>style.css" />

</head>

<body>

<div id="header">
<div id="panic">
<a href="http://www.google.com"><img src="<?php echo $siteurl;?>/images/panic.png"
alt="<?php echo $sitename;?>" /></a>
</div>

<div id="logo">
<a href="<?php echo $siteurl;?>"><img src="<?php echo $siteurl;?>/images/logo.png"
alt="<?php echo $sitename;?>" /></a>
</div>
</div>

<div id="container"> <!-- coresponding </div> tag is missing -->
<div id="content"> <!-- coresponding </div> tag is missing -->
<div id="advertisement">
<?php echo $ads['header_ad'];?>
</div>

<?php include("sidebar.php");?>

<div id="right">

<!-- The original code that was above had to be changed on this page and site wide for
the script to work. For example:<?=$siteurl?> to <?php echo $siteurl;?>. I've managed to sort the rest
of the script, but I can't figure out this search feature -->

<!-- Code below needs fixed - this is the original code -->

<? if (isset($_GET['keyword'])) {

$keyword = clean_search($_GET['keyword']);

}

if(empty($keyword)) {

echo '<center>Search cannot be empty! please enter game ID or name to search for.</center>';

} else { ?>

<h2>Search Results for <?=$keyword?> </h2><br /><br />

<?



if(ctype_digit($keyword)) {

// We are searching by ID

$query = mysql_query("SELECT * FROM `games` WHERE `id` = '$keyword'");

} elseif(!ctype_digit($keyword)) {

// We are searching by Name or Desc



//$result = mysql_query("SELECT * FROM `games` WHERE `description` LIKE '%$keyword%' OR 'title' LIKE '%$keyword%'");

$query = mysql_query("SELECT * FROM games WHERE title LIKE '%$keyword%' OR description LIKE '%$keyword%' ORDER BY (CASE WHEN title LIKE '%$keyword%' THEN 1 ELSE 0 END) DESC limit 15");



}



if(mysql_num_rows($query) ==0) {

echo "<h2>Your search returned no results! <a href=\"index.php\">Try Again</a></h2>";

@mysql_close();

}



while($row = mysql_fetch_array($query)) {

echo '<table border="1" width="480" cellspacing="2" cellpadding="2" align="center">

<tr style="font-weight: bold;">

<td width="30" align="center">ID</td>

<td width="60" align="center">Thumbnail</td>

<td width="100" align="center">Title</td>

<td width="320" align="center">Description</td>

</tr>';

echo '<tr>

<td width="30" align="center">' . $row['id'] . '</td>

<td width="60" align="center"><a href="' . $siteurl . 'game/' . $row['id'] . '/"><img src="' . $row['thumbnail'] . '" style="height: 50px; width: 60px;" alt="' . $row['title'] . '" /></a></td>

<td width="100" align="center"></a> <strong><a href="' . $siteurl . 'game/' . $row['id'] . '/">' . $row['title'] . '</a></strong></td>

<td width="320" align="left">' . $row['description'] . '</td>

</tr>';

}

echo '</table><br /><div style="text-align:center;">';



}

echo '</div>';

include("footer.php");?>

 

[katherine]

I have two suggestions:

1. Change <? to <?php

I guess the short tags are not being parsed on your server.
Likewise, you had to replace <?=... ?> to <?php echo ... ?>

2. Your code is vulnerable to SQL injection, which mean you could get hacked.

Use mysql_real_escape_string or better yet parameterized queries.

Finally you should not output the DB fields directly, but use htmlspecialchars for example.
If you have data that contains characters like < or quotes, the HTML would be broken.

 

[Mr.Domains]

Did that do it? If not, PM me, I will fix it for you...

 

[Domonetise]

I have two suggestions:

1. Change <? to <?php

I guess the short tags are not being parsed on your server.
Likewise, you had to replace <?=... ?> to <?php echo ... ?>

2. Your code is vulnerable to SQL injection, which mean you could get hacked.

Use mysql_real_escape_string or better yet parameterized queries.

Finally you should not output the DB fields directly, but use htmlspecialchars for example.
If you have data that contains characters like < or quotes, the HTML would be broken.

Hi katherine,

Changing <? to <?php done the trick! I only had to change 2 tags, where as I had also been changing code such as:

( ' . $row['id'] . ' ) to ( ' . <?php echo $row['id'];?> . ' )

I'm jumping with joy!!

#2 I will have to research that to fully understand what to do to better that.

I could have got the guy that I bought the script from to install it, but my intention is to put a script on the domain and sell on, so I should have some knowledge of the script for the future buyer..

Thank you so much for taking the time to help me, it's much appreciated!

Jack

Did that do it? If not, PM me, I will fix it for you...

Hi Neil,

Yeh, that fixed it ok, I appreciate your offer to fix it, that was kind of you!

Jack

 

[Domonetise]

I have two suggestions:

1. Change <? to <?php

I guess the short tags are not being parsed on your server.
Likewise, you had to replace <?=... ?> to <?php echo ... ?>

2. Your code is vulnerable to SQL injection, which mean you could get hacked.

Use mysql_real_escape_string or better yet parameterized queries.

Finally you should not output the DB fields directly, but use htmlspecialchars for example.
If you have data that contains characters like < or quotes, the HTML would be broken.

I've been going through the site files and the code below is included in a file, global.php. Would this protect against the vulnarabilities that you mention above?

<?php

// Pull site settings from database



$settings = mysql_query("select * from settings") or die("Site is not installed");

$setting = mysql_fetch_array($settings);



$sitename = $setting['sitename'];

$slogan = $setting['slogan'];

$siteurl = $setting['siteurl'];



// Pull ads

$adquery = mysql_query("SELECT * FROM `ads`");

$ads = mysql_fetch_array($adquery);



function keyword($value) {

$value = str_replace(' ', ', ', $value);

return $value;

}



// String cleaning function, prevents mysql injection



function clean($value) {

$value = mysql_escape_string(strip_tags($value));

return $value;

}





function clean_search($value) {

$value = mysql_escape_string(strip_tags($value));

$value = preg_replace("/[^0-9a-z +]/i",'', $value);

$value = str_replace('www', 'wXw', $value);

$value = str_replace('http', 'hXXp', $value);

return $value;

}





function clean_comment($value) {

$value = mysql_escape_string(strip_tags($value));

//filter all non alphanumeric characters

// allows numbers, letters and spaces only

$value = preg_replace("/[^0-9a-z _-]/i",'', $value);

$value = str_replace('www', 'wXw', $value);

$value = str_replace('http', 'hXXp', $value);

return $value;

}

?>

 

[katherine]

I've been going through the site files and the code below is included in a file, global.php. Would this protect against the vulnarabilities that you mention above?

I haven't checked thoroughly but while the code is showing its age it's better than nothing.
The fact that special characters are stripped from the search string limits the possibilities for exploitation.

But it is also a form of straitjacket security when one is not too confident in the coding One should be able to put anything in the search field without breaking anything. The single quote in particular is dangerous, unless you properly escape special characters or use parameterized queries.

 

[Mark Talbot]

katherine, I like how you think !

:hail:

 

[Domonetise]

I haven't checked thoroughly but while the code is showing its age it's better than nothing.
The fact that special characters are stripped from the search string limits the possibilities for exploitation.

But it is also a form of straitjacket security when one is not too confident in the coding One should be able to put anything in the search field without breaking anything. The single quote in particular is dangerous, unless you properly escape special characters or use parameterized queries.

Thanks katherine, I'm beginning to understand now the importance of properly escaping special characters. 'It's all starting to make sense now' yeh? I've found a few sites that go into detail, so I guess that'll keep me busy for a while, but don't quote me on that!