I have a search function on my website which is hooked up with PHP PDO MySQL.
To count the results for pagination, I'm doing a query such as this:
SELECT count(*) FROM articles WHERE (`title` LIKE ? OR MATCH(`text`) AGAINST(? IN BOOLEAN MODE)) AND `active` = 1
However, it appears that someone is trying SQL Injection (i assume), entering in a search term like this:
Which appears to end up entirely breaking my query. It's using prepared statements as you can see with the ?'s, so I'm not sure why it's causing this error to happen:
SQL ERROR SQLSTATE: Syntax error or access violation: 1064 syntax error, unexpected '-'
Doing nothing fancy, the usual PDO stuff like:
$this->stmt = $this->prepare($sql); $this->stmt->execute($data);
The full query basically ends up like this:
SELECT count(*) FROM articles WHERE (`title` LIKE %1"'`--% OR MATCH(`text`) AGAINST("+1"'`--" IN BOOLEAN MODE)) AND `active` = 1
What's the best way to protect against something like this?