<?php $surname = mysql_real_escape_string(strip_tags($_POST['surname'])); $speciality = mysql_real_escape_string(strip_tags($_POST['speciality'])); $keyword = mysql_real_escape_string(strip_tags($_POST['keyword'])); $output = ''; $sql = "SELECT * FROM modx_site_content WHERE parent=2 AND pagetitle LIKE '%$surname%' AND content LIKE '%$speciality%' AND content LIKE '%$keyword%'"; foreach ($modx->query($sql) as $row) { $output .= $row['pagetitle'] .'<br/>'; } return $output;
public function sanitizeRequest() { $modxtags = array_values($this->modx->sanitizePatterns); modX :: sanitize($_GET, $modxtags); if ($this->modx->getOption('allow_tags_in_post',null,true)) { modX :: sanitize($_POST); } else { modX :: sanitize($_POST, $modxtags); } modX :: sanitize($_COOKIE, $modxtags); modX :: sanitize($_REQUEST, $modxtags); $rAlias = $this->modx->getOption('request_param_alias', null, 'q'); if (isset ($_GET[$rAlias])) { $_GET[$rAlias] = preg_replace("/[^A-Za-z0-9_\-\.\/]/", "", $_GET[$rAlias]); } }
foreach ($_POST as $k => $v) { $_POST[$k] = $modx->sanitizeString($v); }
Two things come to mind:
- if you are only going to be using pagetitle then you could "SELECT pagetitle FROM..." (a very minor thing)
- if each of the search criteria is a manageable list (ie not hundreds of possible values) it may be worthwhile to build your search criteria as drop-downs and populate them with the list of values from the database. That way you give the users a better experience and you can replace the LIKEs with =.
Ok. Three things. Put your output in a chunk and use $modx->getchunk().
This function is called on every request, so it may not be necessary to sanitize the post values (though it can't hurt):
public function sanitizeRequest() { $modxtags = array_values($this->modx->sanitizePatterns); modX :: sanitize($_GET, $modxtags); if ($this->modx->getOption('allow_tags_in_post',null,true)) { modX :: sanitize($_POST); } else { modX :: sanitize($_POST, $modxtags); } modX :: sanitize($_COOKIE, $modxtags); modX :: sanitize($_REQUEST, $modxtags); $rAlias = $this->modx->getOption('request_param_alias', null, 'q'); if (isset ($_GET[$rAlias])) { $_GET[$rAlias] = preg_replace("/[^A-Za-z0-9_\-\.\/]/", "", $_GET[$rAlias]); } }
If you want to do it yourself, it's easier (and maybe safer) to just do this at the top:
foreach ($_POST as $k => $v) { $_POST[$k] = $modx->sanitizeString($v); }