-4

I have these codes at the moment:

>  <?PHP
>                                   
>                                   if(isset($_POST['update'])) { 
>                                   $ts=$_POST['ts'];
>                                   $user=$_POST['user'];
>                                   
>                                   mysql_query("UPDATE users SET block_newfriends='$ts' WHERE username='$user'") or die(mysql_error());
>                                   echo '<div class="rounded-container">';
>                                   echo '<div class="rounded-green rounded-done">';
>                                   echo '<b>text here</b><br>';
>                                   echo '</div>';
>                                   echo '</div>';
>                                   }
>                                   ?>

and:

<?php
                                            $query = "SELECT * FROM users WHERE id = '".$_SESSION['user']['id']."'";
                                            $result = mysql_query($query);
                                            $row = mysql_fetch_array($result);
                                            $x1 = $row['block_newfriends'];
                                            $ch1[$x1] = "checked";
                                            echo "text here
                                            ";
                                            ?>

As you can see, it includes PHP. But i'm not sure if it's safe against any hacks like SQL injection or XSS. Do I need to put a mysql_real_escape_string and if yes, where exactly?

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
IbraDigga
  • 1
  • 2
  • ok so nobody knows it? – IbraDigga Jan 05 '17 at 13:38
  • The `mysql_*` functions are GONE in PHP7. Stop using them. Then, go read up on SQL injection so you **understand** it. Yes, this code is massively vulnerable to it. – ceejayoz Jan 24 '17 at 22:36
  • See also http://stackoverflow.com/documentation/php/2784/php-mysqli/12843/escaping-strings – Machavity Jan 25 '17 at 02:27
  • 1
    its not safe at all, and your question suggest you did not even do simple google search, read the link by Machavity or you can my vedio on sql injection, https://www.youtube.com/channel/UCCW6D8WcDv-FgyhwnltB3SQ, and short answer use prepared statement – arif_suhail_123 Jan 25 '17 at 02:29

1 Answers1

-2

Not safe, you should consider using prepared statement

General Omosco
  • 15
  • 7