PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Oct 16, 2019 11:09 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Fri Feb 15, 2019 6:14 am 
Offline
DevNet Master

Joined: Wed Oct 08, 2008 3:39 pm
Posts: 4434
Location: United Kingdom
We have taken on a website that has pre-built code, but there are parts of it that worry me.
Firstly, the Update doesn't work. I think it is because the 'probtn' is not actually listed within the page at all, so that's failing anyway.
But more of a worry is the format of the code. It doesn't seem particularly modern.

Is it safe or potentially hackable? (I wrote none of this!).

Syntax: [ Download ] [ Hide ]
<?php include('header.php');

$id =  mysqli_real_escape_string($connection, @$_REQUEST['id']);

if(!isset($_SESSION['member_id'])) {
    header('Location: login.php');
}
$select = mysqli_query($connection, "SELECT * FROM categories WHERE id='$id'");
// Edit category selected
        if(mysqli_num_rows($select)==1){

                $result = mysqli_fetch_array($select);

                $category = $result['category'];
        if(isset($_REQUEST['proBtn'])) {
            if( !empty($_REQUEST['category']) ) {
            $category = mysqli_real_escape_string($connection, $_REQUEST['category']);
                $update ="UPDATE categories SET
                        category='$category'
                        where id='$id'"
;
                mysqli_query($connection,$update);
                $success = "<div class='alert alert-success'>Updated category successfully !</div>";
            }else{
                }
      }
       }
?>

_________________
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.


Top
 Profile  
 
PostPosted: Sun Mar 03, 2019 12:54 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
I would recommend validating and filtering the variables from $_REQUEST. Other than that it is just mediocre procedural code that could be refactored.

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group