Is my code vulnerable to SQL Injection with this LIKE clause?

I'm doing a live search with jQuery and PHP but I'm not sure if my query is vulnerable to SQL injection.

The data is posted into a PHP file while typing characters with the help of jQuery.

$searchData = $_POST['searchData']; 

$searchResult = mysql_query("SELECT * FROM songs WHERE songname LIKE '$searchData%' "); 

echo $searchResult;

Is this 开发者_如何学运维vulnerable to SQL injection?

Yes, consider if $searchData is:

Robert'); DROP TABLE songs; --

use mysql_real_escape_string($_POST['searchData']), or [PDO] instead mysql_*

If $searchData isn't being escaped anywhere, then yes, it's vulnerable.

Anytime you are taking user input and putting into a query, you should pass it through mysql_real_escape_string. Better safe than sorry.

Since you can use tools to manipulate sent $_POST data, yes, it is dangerous.

Either you escape it or use php data objects (PDO) which doesn't need ANY escaping and is what you should use anyway in this time.

Yes, it is vulnerable. But other responders failed to note that along with the normal escaping (like mysql_real_escape_string()) you also need to escape the % character for LIKE clause!

mysql_real_escape_string(addcslashes($str, "%_"))

The trick to grasp here is that there is nothing like "universal quoting". When quoting, you always quote text for some particular output, like:

1. string value for mysql query
2. like expression for mysql query
3. html code
4. json
5. mysql regular expression
6. php regular expression

For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (never forget to handle it, or better, assure it is switched off!!!).

So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)

1. mysql_real_escape_string($str)
2. mysql_real_escape_string(addcslashes($str, "%_"))
3. htmlspecialchars($str)
4. json_encode() - only for utf8! I use my function for iso-8859-2
5. mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
6. preg_quote()

Yes You can use this :

$searchData = addslashes( $_POST['searchData'] );