PHP Developers Network
http://forums.devnetwork.net/

Good code or bad code: my_sqli
http://forums.devnetwork.net/viewtopic.php?f=1&t=147876
Page 1 of 1

Author:  simonmlewis [ Fri Feb 15, 2019 6:14 am ]
Post subject:  Good code or bad code: my_sqli

We have taken on a website that has pre-built code, but there are parts of it that worry me.
Firstly, the Update doesn't work. I think it is because the 'probtn' is not actually listed within the page at all, so that's failing anyway.
But more of a worry is the format of the code. It doesn't seem particularly modern.

Is it safe or potentially hackable? (I wrote none of this!).

Syntax: [ Download ] [ Hide ]
<?php include('header.php');

$id =  mysqli_real_escape_string($connection, @$_REQUEST['id']);

if(!isset($_SESSION['member_id'])) {
    header('Location: login.php');
}
$select = mysqli_query($connection, "SELECT * FROM categories WHERE id='$id'");
// Edit category selected
        if(mysqli_num_rows($select)==1){

                $result = mysqli_fetch_array($select);

                $category = $result['category'];
        if(isset($_REQUEST['proBtn'])) {
            if( !empty($_REQUEST['category']) ) {
            $category = mysqli_real_escape_string($connection, $_REQUEST['category']);
                $update ="UPDATE categories SET
                        category='$category'
                        where id='$id'"
;
                mysqli_query($connection,$update);
                $success = "<div class='alert alert-success'>Updated category successfully !</div>";
            }else{
                }
      }
       }
?>

Author:  Christopher [ Sun Mar 03, 2019 12:54 am ]
Post subject:  Re: Good code or bad code: my_sqli

I would recommend validating and filtering the variables from $_REQUEST. Other than that it is just mediocre procedural code that could be refactored.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/