I am almost positive i have properly protected myself against mysql injections but I would like someone who knows better than I if I actually am protected or if its a facade. Thank you for your help.
[code=php]<?php
include(“include/constants.php”);
$var = @$_GET[‘query’] ;
$trimmed = trim($var); //trim whitespace from the stored variable
// check for an empty string and display a message.
if ($trimmed == “”)
{
include(“s.php”);
echo “<p>Please enter a search…</p>”;
echo “<p><a href=”main.php”>Home</a></p>”;
exit;
}
$connect = mysql_connect(DB_SERVER, DB_USER, DB_PASS);
$query = mysql_real_escape_string($trimmed);
if (!($connect)) // If no connect, error and exit().
{
echo(“<p>Unable to connect to the database server.</p>”);
exit();
}
if (!(mysql_select_db(DB_NAME))) // If can’t connect to database, error and exit().
{
echo(“<p>Unable to locate the database.</p>”);
exit();
}
if (!($limit)){
$limit = 500;} // Default results per-page.
if (!($page)){
$page = 0;} // Default page value.
$numresults = mysql_query(“SELECT * FROM projects WHERE projectassigned LIKE ‘%”. $query .”%’ order by opclo DESC”); // the query.
// More code but its omitted for post length.
?>