#4 Possible SQL holes

[Alon Goldberg]

In a search query, SQL statements are passed as:
search_field=Company%20Name&search_value=foo%20bar

It may be possible to place a harmful SQL statement directly into search_field or search_value.

The main subroutine (used for index and search) is the only routine in the script that allows the POST method.

Also a possible SQL security hole is the passing of the id parameter, which is always checked when the script starts. It would be wise to check that the variable contains /^\d+$/ or perhaps only allow for an id on the GET method.