I have a script, which update my table's column and write an id in it.
I need to check whether the column is empty or not, if it is not: I add a ','.
Here is the script:
$subs = mysql_fetch_array(mysql_query("SELECT subscribed_user_id FROM users WHERE user_id=".(int)$_GET['user']));
$subs_array = array();
$subs_array=explode(',', $subs['subscribed_user_id']);
if(!in_array($_COOKIE['user_id'], $subs_array))
{
if($subs['subscribed_user_id']=='')
{
$add='';
} else {
$add = $subs['subscribed_user_id'].',';
}
mysql_query("UPDATE users SET subers=subers+1, subscribed_user_id='".$add.$_COOKIE['user_id']."' WHERE user_id=".(int)$_GET['user']);
}
I have an idea: always add ',' , but when I select it use not the full length of the array, but , for example, array.length-2... I think that it is not OK and that is why I need an advice: how can I improve this script?
thank you in advance!
You can improve it by using a not deprecated extension as example:
PDO:
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->execute(array(':username' => $_GET['username']));
Or MySQLi:
$query = $mysqli->prepare('SELECT * FROM users WHERE username = s');
$query->bind_param('s', $_GET['username']);
These extensions have built-in parameterize functions which let you safely insert data into the database.