First I would either use mysqli_query or PDO for it is more secure, Second don't inject the variable ($user) directly into the query
Do something like the following
PHP Code:
function html_escape($raw_input) {
return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8'); // important! don't forget to specify ENT_QUOTES and the correct encoding
}
PHP Code:
function update_content($edited_content) {
global $db;
$edited_content = html_escape($edited_content['content']); // Making sure no nasty injections happen.
$query = "UPDATE pages SET content='$edited_content' WHERE id LIMIT 1";
// Execute the query here now
$query = mysqli_query($db, $query) or die (mysqli_error($db));
}
While nothing is 100 percent secure, it's best to have as tight as security as possible. One last thing I think you are making it your problem more trouble than it should be. maybe do something like the following?
PHP Code:
function display_content() {
global $db; // Database Variable
$user_id = html_escape($_GET['id']);
$query = "SELECT id, content FROM pages WHERE id=$user_id LIMIT 1";
// Get result from database or display error to user
$result = mysqli_query($db,$query) or die(mysqli_error($db));
// Fetches the array .... MYSQLI_BOTH is Integer and String
$result = mysqli_fetch_array($result, MYSQLI_BOTH);
return $result;
}
then all you have to do is some like this
PHP Code:
<?php
$result = display_content();
echo "<p>" . $result['content'] . "</p>";
Obviously the code above will not work, but I hope this gives you a better start to your problem.