So I have this code which basicaly retrieves data from a mysql database:
$categoria = $_GET['categoria'];
if($categoria ==""){}else{
$consulta = @mysql_query("SELECT * FROM productos where categoria='$categoria' ORDER BY nombre ASC");
while($seleccion = @mysql_fetch_array($consulta)){
$nombre = $seleccion['nombre'];
$referencia = $seleccion['referencia'];
$descripcion = $seleccion['descripcion'];
$imagen = $seleccion['imagen'];
With your existing setup of mysql
extension the best approach to follow is at least passing the strings through mysql_real_escape_string
. If you can move to mysqli
or pdo
based setup that would be ideal.
$consulta = @mysql_query("SELECT * FROM productos where categoria='" . mysql_real_escape_string($categoria) . "' ORDER BY nombre ASC");
Also a side note from Simon its best you don't prefix the statement with @
. This adds a bit of overhead to the execution. You should handle errors with error_reporting
and display_errors
.