- Joined
- Jul 28, 2009
- Messages
- 983
- Reaction score
- 133
Hi,
I'm currently working on my website and i am bit afraid my website is vulnerable for sql injections.
I am not sure when i have to protect it by using a magic escape, mysql string escape etc etc.
I'm a beginner and i still need to learn a lot.
Some of my codes:
Do i have to protect this or is this safe?
Could you tell me when i have to filter query's?
I'm currently working on my website and i am bit afraid my website is vulnerable for sql injections.
I am not sure when i have to protect it by using a magic escape, mysql string escape etc etc.
I'm a beginner and i still need to learn a lot.
Some of my codes:
PHP:
// Query
$test = mysql_query("SELECT roomvisits,achievementscore,onlinetime,respect FROM `user_stats` WHERE id = '".$_SESSION['user']['id']."'") or die(mysql_error());
// Results in variable
$row = mysql_fetch_row($test);
// Show first result
echo $row[0]; // room visits
PHP:
<?php
$sql = mysql_query("SELECT * FROM user_badges WHERE user_id = '".$_SESSION['user']['id']."' ORDER BY badge_id ASC LIMIT 10") or die(mysql_error());
$count = mysql_num_rows($sql);
?>
<?php
if($count == 0){
echo "You don't have any badges yet.";
}else{
?>
<?php
while($badgerow = mysql_fetch_assoc($sql)){
echo " <img src='http://new.diaxa.eu/r63/c_images/badges/".$badgerow['badge_id'].".gif'/> ";
}
}
?>
Do i have to protect this or is this safe?
Could you tell me when i have to filter query's?