SQL Question

Possible security flaw php and SQL

So I have this code which basicaly retrieves data from a mysql database:

$categoria = $_GET['categoria'];
if($categoria ==""){}else{
$consulta = @mysql_query("SELECT * FROM productos where categoria='$categoria' ORDER BY nombre ASC");
while($seleccion = @mysql_fetch_array($consulta)){
$nombre = $seleccion['nombre'];
$referencia = $seleccion['referencia'];
$descripcion = $seleccion['descripcion'];
$imagen = $seleccion['imagen'];

And well after that I echo all of the variables... I was wondering, might there be any problem regarding security with a code like this? Is there any risk of it being hacked?


With your existing setup of mysql extension the best approach to follow is at least passing the strings through mysql_real_escape_string. If you can move to mysqli or pdo based setup that would be ideal.

$consulta = @mysql_query("SELECT * FROM productos where categoria='" . mysql_real_escape_string($categoria) . "' ORDER BY     nombre ASC");

Also a side note from Simon its best you don't prefix the statement with @. This adds a bit of overhead to the execution. You should handle errors with error_reporting and display_errors.