Custom build - you have 2 options.
1) If you wanna simply do a lookup on a field like title, you can take a textfield and pass the text into a query like this:
SELECT * FROM links WHERE url LIKE '%thingy%';
That'll lookup all URL's with thingy in the url. You'd need to sanity check for security the text passed into the query.
2) Use a fulltext index. Basically, define the fulltext index on the fields you wanna search, then do a query like this:
SELECT *, MATCH(url, title, description) AGAINST('thingy') score FROM links HAVING score > 0.0 ORDER BY score DESC;
That'll search the url, title and description fields for the word thingy and using MySQL's internal search algorithm, will allocate a score to each result. We're only interested in score's above 0.0 and we want the highest score first (ie, descending).
In terms of code injection, there are MANY ways to protect. I know mostly about the way's Drupal does this...
1) Forms contain a 'token' which is used server side to check that the form that was submitted was the same as the form generated by the server. This token is something like the session ID + the timestamp MD5'd together. If you try to submit a form to the target URL of a drupal generated form - but dont include the token matching your own session, it wont submit. This helps to stop cross site attacks (eg, a site creating a script which spams a forum or blog).
2) In terms of queries, drupal has a wrapper API for databases (it supports MySQL, PostGRE SQL and recently Oracle). When you execute a query, you replace all variables with holders and then pass the variabled to the function as arguements - for example"
$result = db_query("SELECT * FROM {links} WHERE url LIKE '%%s%'", $searchterm)
The %s will get replaced by the function with the contents of $seachterm - but before it does this, it will be checked for things like apostrophe's (which get escaped) and so on. This helps to keep the code neat + provides security. You have a number of placeholders too for sanity checking (eg, %d is decimal and it will literally cast the variable into an int for you).
There are similar functions in drupal for things like input filters, for example - some input fields only accept certain tags.
Drupal has a nice
API site if you wanna take a look at how it does its security checks (like the db_query)
[center]
