これでSQLインジェクション対策できてますか??
$search_query = "select SQL_CALC_FOUND_ROWS * from king";
$usersearch= mysql_real_escape_string($_GET['usersearch']);
$clean_search = str_replace('、', ' ',$clean_search);
$clean_search = str_replace(' ', ' ',$usersearch);
$search_words = explode(' ', $clean_search);
$final_search_words = array();
if (count($search_words) > 0) {
foreach ($search_words as $word) {
if (!empty($word)) {
$final_search_words[] = $word;
}
}
}
// Generate a WHERE clause using all of the search keywords
$where_list = array();
if (count($final_search_words) > 0) {
foreach($final_search_words as $word) {
$where_list[] = "syou LIKE '%$word%'";
}
}
$where_clause = implode(' AND ', $where_list);
// Add the keyword WHERE clause to the search query
if (!empty($where_clause)) {
$search_query .= " WHERE $where_clause";
}
$pid = intval($_GET['pid']);
if ($pid < 1) $pid = 1;
$limit_start_rows = ( $pid - 1 ) * 10;
$search_query .= " LIMIT {$limit_start_rows}, 10";
$result = mysql_query($search_query);
$num_rows_result = mysql_query("SELECT FOUND_ROWS()");
$num_rows = mysql_fetch_assoc($num_rows_result);
$num_rows = $num_rows['FOUND_ROWS()'];
if($num_rows== 0){
$message="該当データは見つかりませんでした。";
}
else $message=$num_rows ."件該当しました<br/>";
echo $message;
while($row = mysql_fetch_array($result)
2行目でGETした文字をmysql_real_escape_string()で囲っただけですが大丈夫でしょうか。。
