PHP Developers Network

Good code or bad code: my_sqli
Page 1 of 1

Author:  simonmlewis [ Fri Feb 15, 2019 6:14 am ]
Post subject:  Good code or bad code: my_sqli

We have taken on a website that has pre-built code, but there are parts of it that worry me.
Firstly, the Update doesn't work. I think it is because the 'probtn' is not actually listed within the page at all, so that's failing anyway.
But more of a worry is the format of the code. It doesn't seem particularly modern.

Is it safe or potentially hackable? (I wrote none of this!).

Syntax: [ Download ] [ Hide ]
<?php include('header.php');

$id =  mysqli_real_escape_string($connection, @$_REQUEST['id']);

if(!isset($_SESSION['member_id'])) {
    header('Location: login.php');
$select = mysqli_query($connection, "SELECT * FROM categories WHERE id='$id'");
// Edit category selected

                $result = mysqli_fetch_array($select);

                $category = $result['category'];
        if(isset($_REQUEST['proBtn'])) {
            if( !empty($_REQUEST['category']) ) {
            $category = mysqli_real_escape_string($connection, $_REQUEST['category']);
                $update ="UPDATE categories SET
                        where id='$id'"
                $success = "<div class='alert alert-success'>Updated category successfully !</div>";

Author:  Christopher [ Sun Mar 03, 2019 12:54 am ]
Post subject:  Re: Good code or bad code: my_sqli

I would recommend validating and filtering the variables from $_REQUEST. Other than that it is just mediocre procedural code that could be refactored.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group