Security in my PHP script [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about programming within the scope defined in the help center.

Closed 9 years ago.

Improve this question

I found this source code in a website I just purchased. Just wondering if this script is secure? Can anyone explain this to me?

<?php

if($_GET['map_loc']) {
    $code = $_GET['map_loc'];
    $result= mysql_query("SELECT ttc.continent_id, ttc.continent_id, c.name FROM territories_to_continents ttc
        INNER JOIN continents c
        ON ttc.continent_id = c.continent_id
        WHERE ttc.code = '$code'
        LIMIT 1;
        ");
    $row = mysql_fetch_array($result);
    $mapLoc = $row['name'];
}

?>

Answer 1

It absolutely not secure.... mysql_* is old and shouldn't be used. You should use PDO or mysqli instead, In the following example, I showed how it could be done with mysqli.

<?php

if(isset($_GET['map_loc'])) {
    $code = $_GET['map_loc'];

    $query = "SELECT ttc.continent_id, ttc.continent_id, c.name FROM territories_to_continents ttc
                INNER JOIN continents c
                ON ttc.continent_id = c.continent_id
                WHERE ttc.code = ?
                LIMIT 1";

    if($stmt = $mysqli->prepare($query)){
        $stmt->bind_param('s', $code);
        $stmt->execute();
        $stmt->bind_result($ttc.continent_id1, $ttc.continent_id2, $mapLoc);
        $stmt->fetch();
        $stmt->free_result();
        $stmt->close();
    }
}
?>

You should definitely check out this famous question for help: How can I prevent SQL injection in PHP?