Sanitizing variables in this code

Question

Hi All and thank for looking.

Is the following code vulnerable and how?

How would I sanitize the code to make it safe?

    <?
$pname = $_GET['product_name'];
    $sql = "SELECT * FROM products WHERE product_name='$pname'";
    $result = mysql_query($sql);        
    $myrow = mysql_fetch_array($result);
    $pid = $myrow['product_id'];
    $sql = "SELECT * FROM product_xref_options WHERE product_id='$pid'";
    $result = mysql_query($sql);        
    $myrow = mysql_fetch_array($result);
    $pstock = $myrow['stock'];
    echo "<span style=\"text-decoration:blink; color:#33FF00; font-size:12px; font-style:italic;\"><IMG SRC =images/layout/images/stock-check.jpg align=\"absmiddle\">Live! </span><span class=\"heading\">Availability: </span>";
    if ($pstock >= 1) {
    print ("<IMG SRC =images/layout/images/green_tick.gif align=\"absmiddle\"><div class=\"green\">In Stock</div><br /><center>usually ships within 24 hours");
    }
    else
    print ("<IMG SRC =images/layout/images/red_x.gif align=\"absmiddle\"> - <div class=\"red\"> Out of Stock</div>");
    echo "<br />";
    echo "<span class=\"greyed\">Updated: ";
    //Timestamp
    echo date("F j, Y"); 
    echo " @ ";
    $onehourahead = time()-3600;
    echo gmdate("H:i", $onehourahead); 
    echo "</span><div class=\"divider\">&nbsp;</div></center><IMG SRC =images/layout/images/fast-delivery.jpg align=\"bottom\">";
    $currenttime = ((date("H")+7). ":" .date("i"));
    $currentday = date("l");
    //echo $currenttime. "<br />" .$currentday;
    $weekdays = array(
      'Monday',
      'Tuesday',
      'Wednesday',
      'Thursday',
      'Friday'
    );
    $weekends = array(
      'Saturday',
      'Sunday'
    );
    if (in_array($currentday,$weekdays)){
     if (($currentday != "Friday" && $currenttime < "16:30")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 1;
     }
     elseif (($currentday == "Monday" && $currenttime >= "16:31")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 2;
     }
     elseif (($currentday == "Tuesday" && $currenttime > "16:30")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 3;
     }
     elseif (($currentday == "Tuesday" && $currenttime <= "16:31")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 4;
     }
     elseif (($currentday != "Friday" && $currentday != "Thursday" && $currenttime >= "16:31")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 5;
     }
     elseif (($currentday == "Thursday" && $currenttime <= "16:30")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")+1). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $where = 6;
     }
     elseif (($currentday == "Thursday" && $currenttime >= "16:30")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 7;
     }
     elseif (($currentday == "Friday" && $currenttime >= "16:30")) {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+3, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 8;
     }
     else {
     $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+3, date("Y"));
     $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")). "-16-30");
     $cutoff = mktime(0, 0, 0, date("m")  , date("d"), date("Y"));
     $where = 9;
     }
    }
    if (in_array($currentday,$weekends)){
     if ($currentday == "Sunday"){
      $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+2, date("Y"));
      $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")+1). "-16-30");
      $cutoff = mktime(0, 0, 0, date("m")  , date("d")+1, date("Y"));
      $where = 10;
     }
     elseif ($currentday == "Saturday"){
      $tomorrow  = mktime(0, 0, 0, date("m")  , date("d")+3, date("Y"));
      $jsdate = (date("Y"). "-" .date("m"). "-" .(date("d")+2). "-16-30");
      $cutoff = mktime(0, 0, 0, date("m")  , date("d")+2, date("Y"));
      $where = 11;
     }

    }

    echo "  Time left for delivery on <b><center>" .date("l \\t\h\e jS F", $tomorrow). "</b>:</center>";
    ?>
    <center>
    <script>
    // deadline(date, width, height, style, background, number color, small text color);
    deadline("<? echo $jsdate; ?>", "220", "37", "digital2", "#FFFFFF", "#000099", "#000000");
    </script><br />
    <? 
    echo "<div class=\"cutoff\">(Cut-off: " .date("l jS F \@ 16:30\p\m", $cutoff). ")</div>";
    ?>

Answer 1

Have a look at this: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php