Im new here. I already know that this question will be rather unspecific but I cant seem to find a good result googling. If it turns out that this question has been asked before please just link me to it.
I have a searchfunction and Im trying to secure it from any meddling (SQL Injections/XXS, etc.).
My searchfunction does the following:
Upon pressing the "search" button it removes quotes and apostrophs:
$(document).on('click', '#event-search-button', function(event){
search = ($(".search-events").val()).replace(/([\"\'])/g,'\\');
from_date = $("#date-from").val().replace(/([\"\'])/g,'\\');
to_date = $("#date-to").val().replace(/([\"\'])/g,'\\');
event_type = $("#typfilter").val().replace(/([\"\'])/g,'\\');
Then I send the data to a php file with AJAX and in said file I wrap htmlspecialchars() around the variables:
$search = htmlspecialchars($_POST['search']);
$from_date = htmlspecialchars($_POST['from_date']);
$to_date = htmlspecialchars($_POST['to_date']);
$event_type = htmlspecialchars($_POST['event_type']);
Now I assume Im safe from most meddling but turns out that theres atleast 1 (probably more) thing that the user can still do to mess with my SQL.
If the user types in % he will get a listing of all results. While pretty harmless its still annoying.
Is there a plugin or something else that acts as an "all-arounder" for such cases and removes all chars that could be damaging? I am aware of PDO but I am way to deep into this project to re-vamp all of my Queries.
