Page 1 of 1

Good code or bad code: my_sqli

Posted: Fri Feb 15, 2019 5:14 am
by simonmlewis
We have taken on a website that has pre-built code, but there are parts of it that worry me.
Firstly, the Update doesn't work. I think it is because the 'probtn' is not actually listed within the page at all, so that's failing anyway.
But more of a worry is the format of the code. It doesn't seem particularly modern.

Is it safe or potentially hackable? (I wrote none of this!).

Code: Select all

<?php include('header.php');

$id =  mysqli_real_escape_string($connection, @$_REQUEST['id']);

if(!isset($_SESSION['member_id'])) {
    header('Location: login.php');
}
$select = mysqli_query($connection, "SELECT * FROM categories WHERE id='$id'");
// Edit category selected
	if(mysqli_num_rows($select)==1){

		$result = mysqli_fetch_array($select);

		$category = $result['category'];
        if(isset($_REQUEST['proBtn'])) {
            if( !empty($_REQUEST['category']) ) {
            $category = mysqli_real_escape_string($connection, $_REQUEST['category']);
                $update ="UPDATE categories SET
                        category='$category'
                        where id='$id'";
                mysqli_query($connection,$update);
                $success = "<div class='alert alert-success'>Updated category successfully !</div>";
            }else{
        	}
      }
       }
?>

Re: Good code or bad code: my_sqli

Posted: Sat Mar 02, 2019 11:54 pm
by Christopher
I would recommend validating and filtering the variables from $_REQUEST. Other than that it is just mediocre procedural code that could be refactored.