current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 1 down vote favorite

I have a script, which updates my table's column and writes an id to it.

I need to check whether the column is empty or not. If it is not, I add a ,.

$subs = mysql_fetch_array(mysql_query("SELECT subscribed_user_id FROM users WHERE user_id=".(int)$_GET['user']));

$subs_array = array();

$subs_array=explode(',', $subs['subscribed_user_id']);

if(!in_array($_COOKIE['user_id'], $subs_array))
{
    if($subs['subscribed_user_id']=='')
    {
        $add='';
    } else {
        $add = $subs['subscribed_user_id'].',';
    }
    mysql_query("UPDATE users SET subers=subers+1, subscribed_user_id='".$add.$_COOKIE['user_id']."' WHERE user_id=".(int)$_GET['user']);
}

I have an idea: always add ,. But when I select it, I don't use the full length of the array. But, for example array.length-2, I think that it is not OK and I need to know how I can improve this script.

share|improve this question
1  
I don't really understand what you're trying to do? Just add a , if the column is not empty? Why? Your script is also prone to SQL injections. –  Max Nov 15 '13 at 9:30
    
I believe the idea is to comma separate multiple values in a single column. –  Letharion Nov 15 '13 at 10:26
add comment

1 Answer

up vote 1 down vote accepted

With regard to your question about adding ,, just do

$new_user_id = $_COOKIE['user_id'];

if ($subs['subscribed_user_id'] === '') {
  $new_user_id = $subs['subscribed_user_id'] . ',' . $new_user_id;
}

With that said, the details of how you add the comma is not the issue here.

I began rewriting the code, but since the db interactions make the code hard to test and work with, I honestly couldn't be bothered to properly finish it.

You should

  1. Wrap the functionality in a actual function taking parameters to remove use of $_ globals.
  2. Stop using the ancient and deprecated mysql extension. In fact, don't use (the much better) mysqli either, at the very least, adopt PDO, or better yet, a tool that removes the low level details of managing the DB.
  3. Fix the injection vulnerability in your update query.
  4. Consider whether you really should be comma separating values in the column. Perhaps you should instead add a new row?

Some code I started writing, but didn't finish because I have better things to do than setting up the db I would need.

function update_user_id($user_id, $subs, $cookie) {
  $subs = mysql_fetch_array(mysql_query("SELECT subscribed_user_id FROM users WHERE user_id = " . (int) $user_id));

  $subs_array = explode(',', $subs['subscribed_user_id']);

  if (!in_array($cookie['user_id'], $subs_array)) {
    $new_user_id = $cookie['user_id'];

    if ($subs['subscribed_user_id'] === '') {
      $new_user_id = $subs['subscribed_user_id'] . ',' . $new_user_id;
    }

    mysql_query("UPDATE users SET subers = subers + 1, subscribed_user_id = '" . $new_user_id . "' WHERE user_id = ". (int) $user_id);
  }
}
share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.