MyRecords

In a search query, SQL statements are passed as:
search_field=Company%20Name&search_value=foo%20bar

It may be possible to place a harmful SQL statement directly into
search_field or search_value.

The main subroutine (used for index and search) is the only routine in the
script that allows the POST method.

Also a possible SQL security hole is the passing of the id parameter, which
is always checked when the script starts. It would be wise to check that
the variable contains /^\d+$/ or perhaps only allow for an id on the GET
method.