Does this code is safety (from SQL-injection and others)? [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.

---

This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.

Closed 8 years ago.

开发者_开发百科 Improve this question

<?php
    // параметры подключения к базе
    $server   = 'mysql.hoster.ru';
    $login    = 'usershop';
    $password = 'pass';
    $database = 'user_shop';

    // соединение с базой
    $conn = mysql_connect($server, $login, $password) or die('Can not connect to SQL server');
    mysql_select_db($database);
    $q = mysql_real_escape_string($_POST['q']);

    // выбор кодировки сервера
    mysql_query('SET character_set_database = utf8');
    mysql_query('SET NAMES utf8');
    // INNER запрос
    $sql = "SELECT prod.name_ru, prod.Price, pic.thumbnail, prod.slug FROM SC_products prod INNER JOIN SC_product_pictures pic ON prod.default_picture = pic.photoID WHERE prod.name_ru LIKE'%".$q."%' LIMIT 10";
    if(isset($_POST['q'])) {
        $query = mysql_query($sql, $conn);
        if ($query) {
            // запрос стоймости валюты
            $price = mysql_query('SELECT currency_value FROM SC_currency_types WHERE CID = 3', $conn);
            while ($crow = mysql_fetch_array($price, MYSQL_ASSOC)) {
                $currency = $crow['currency_value'];
            }
?>
            <?php print '<span class="search">'.$q.'</span><br>'; ?>
            <table class="listTable">
<?php
            while ($row = mysql_fetch_array($query, MYSQL_ASSOC)) {
?>
                <tr>
                    <!-- фото товара -->
                    <td>
                        <div>
                            <a class="searchLink" href="http://www.site.org/product/<?php echo $row['slug']; ?>/">
                                <img width="80" src="http://www.site.org/published/publicdata/Z114290SHOP/attachments/SC/products_pictures/<?php echo $row['thumbnail'] ?>">
                            </a>
                        </div>
                    </td>

                    <!-- наименование -->
                    <td>
                        <div>
                            <a class="searchLink" href="http://www.site.org/product/<?php echo $row['slug']; ?>/">
                            <?php 
                                $str = $row['name_ru'];
                                $hstr = str_replace($q, '<span class="hl">'.$q.'</span>', $str);
                                echo $hstr;
                            ?>
                            </a>
                        </div>
                    </td>

                    <td>
                        <div onclick="fill('<?php echo $row['name_ru']; ?>');">
                            <?php echo '<span class="value">'.round($row['Price']*$currency, 2).'&nbsp;руб.</span>'; ?>
                        </div>
                    </td>
                </tr>
<?php
            }
?>
            </table>
<?php
        }
    } else {
        echo 'Nothing';
    }
    mysql_close($conn);
?>

---

Although I agree with what teresko said, I will answer the question about the provided script.

The only user input incorporated in the SQL statement is $q, which is escaped using the correct function (mysql_real_escape_string).

There is a possible ambiguity, if register globals is enabled, $q can potentially mean two different things: the one in $_POST, or the one declared below. I would rename $q to $q2 or another name just to clear this ambiguity.

But other than that, the script looks safe against sql injection unless there's a new vulnerability I never heard of.