Is this code safe?

[seandisanti]

right off the bat I'd remove the line

Code: Select all

@ini_set('display_errors', 'on');

you only want errors on in dev environment. in real world they can communicate info you do not want shared, including table names etc. if given the correct input. Also, this may sound nitpicky, but personally i believe that 'SELECT *' is bad form in general. I typically prefer explicitly named fields in select statements. In cases where you have multiple tables linked, it can really cut down on the size of the result set. You're also implicitly trusting the form posting your data by not verifying even as much as the referer or the post fields.

[seandisanti]

the asterisk is a wild card used in queries to say 'all fields'. It is better to be deliberate with your requests, like

SELECT field1,field2,field3 FROM atable WHERE criteria=true

you also want to escape your strings etc. think about if $EAN contained the value "0; DROP TABLE ps_product;" your query to return all rows just turned into 2 queries where the first returns no results, and the second discards the table.
If you're trying to be security minded, always assume that every user wants to break or compromise your database, pages, etc.