This question already has an answer here:
:)
I'm working on a server list website, but I have a problem about security with a searching bar. I would like to allow users to search servers from my website, so I did a searching bar. But when they are searching, servers are display by a system of pagination which works with affix. Some values affects a MySQL command to execute pagination. So I can't use prepare then bind_param because some param contains WHERE etc. But
To be more comprehensive, i show you the code:
if (isset($_GET['searchserver'])){
$searchserver = $_GET['searchserver'];
$truevalue = '%' . $searchserver . '%';
$this->where = "WHERE `name` LIKE '{$truevalue}' ";
}
So, it is working, but I want to check the variable $searchserver before adding it into my $this->where. I would like to know if i can check it, and if it does not contains something different than a server name. (A server name may have numbers and letters but not strange characters like ; : , .) Is it possible ? I can't use bind param..
Thank you for your time and sorry for my bad english !
</div>
Even though it doesn't make sense why you don't use pdo ,
you can add a bunch of sanity filtering to the input