YOLO <3
- Joined
- Jul 6, 2013
- Messages
- 542
- Reaction score
- 31
Im trying this:
As you can see, it includes PHP. But i'm not sure if it's safe against any hacks like SQL injection or XSS. Do I need to put a mysql_real_escape_string and if yes, where exactly?
Code:
[COLOR=#242729] <?PHP[/COLOR]
if(isset($_POST['update'])) {
$ts=$_POST['ts'];
$user=$_POST['user'];
mysql_query("UPDATE users SET block_newfriends='$ts' WHERE username='$user'") or die(mysql_error());
echo '<div class="rounded-container">';
echo '<div class="rounded-green rounded-done">';
echo '<b>text here</b><br>';
echo '</div>';
echo '</div>';
}
?>
Code:
<?php $query = "SELECT * FROM users WHERE id = '".$_SESSION['user']['id']."'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
$x1 = $row['block_newfriends'];
$ch1[$x1] = "checked";
echo "text here
";
?>
As you can see, it includes PHP. But i'm not sure if it's safe against any hacks like SQL injection or XSS. Do I need to put a mysql_real_escape_string and if yes, where exactly?