Is it good to do the database queries inside the php code? For example:
<?
$restIds=$_SESSION['restaurants'];
$restIds=substr($restIds,0,strlen($restIds)-1);
$query="SELECT cli.restaurant_id as id, CONCAT(cli.nombre,' ',cli.sucursal) as nombre FROM s3menudt.clientes cli left join options opt on (opt.restId=cli.restaurant_id) WHERE cli.restaurant_id in ($restIds) and opt.controlCatalogos=1";
$result = $mysqli->query($query);
if (mysqli_num_rows($result)!=0)
{
?><label>Sucursal:</label>
<select name="idSucursal" id="idSucursal"><?
while($row = $result->fetch_array(MYSQLI_ASSOC))
{
if($fst==0 and $_SESSION['idSucursal']==''){
$_SESSION['idSucursal']=$row['id'];
}
echo '<option id="'.$row['id'].'" value="'.$row['id'].'"';
if($row['id']==$_SESSION['idSucursal']) echo ' selected';
echo '>'.$row['nombre'].'</option>';
$fst++;
}
?></select><br><?
}
else{ echo "<script>alert('No hay sucursales configuradas para edición Web.'); window.top.location='../landing/index.php'; </script>"; die(); }
?>
</div>
<?
$col = $col + 2;
$jsvars .= 'var idSucursal = $("#idSucursal").val();
';
$params .= 'idSucursal';
$fsucursalCat = false;
}
elseif($fcatalogos){ ?>
<!-- ++++++++++++ CATÁLOGO ++++++++++++ -->
<div class="col-md-2">
<?
Does this cause vulnerabilities?
This code that you present has an important vulnerability on a SQL injection attack.
How to solve it?
You must use prepared statements and "parameterized" queries. These are SQL statements that are sent and parsed by the database server separately from any parameters. This way it is impossible for an attacker to do a sql injection.
In your case, using MySqli the code would look something like this:
Check out this question on SO: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php