Good code or bad code: my_sqli

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
simonmlewis
DevNet Master
Posts: 4434
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Good code or bad code: my_sqli

Post by simonmlewis »

We have taken on a website that has pre-built code, but there are parts of it that worry me.
Firstly, the Update doesn't work. I think it is because the 'probtn' is not actually listed within the page at all, so that's failing anyway.
But more of a worry is the format of the code. It doesn't seem particularly modern.

Is it safe or potentially hackable? (I wrote none of this!).

Code: Select all

<?php include('header.php');

$id =  mysqli_real_escape_string($connection, @$_REQUEST['id']);

if(!isset($_SESSION['member_id'])) {
    header('Location: login.php');
}
$select = mysqli_query($connection, "SELECT * FROM categories WHERE id='$id'");
// Edit category selected
	if(mysqli_num_rows($select)==1){

		$result = mysqli_fetch_array($select);

		$category = $result['category'];
        if(isset($_REQUEST['proBtn'])) {
            if( !empty($_REQUEST['category']) ) {
            $category = mysqli_real_escape_string($connection, $_REQUEST['category']);
                $update ="UPDATE categories SET
                        category='$category'
                        where id='$id'";
                mysqli_query($connection,$update);
                $success = "<div class='alert alert-success'>Updated category successfully !</div>";
            }else{
        	}
      }
       }
?>
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Christopher
Site Administrator
Posts: 13595
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Good code or bad code: my_sqli

Post by Christopher »

I would recommend validating and filtering the variables from $_REQUEST. Other than that it is just mediocre procedural code that could be refactored.
(#10850)
Post Reply