It is pretty clear, the $_GET method is not sanitize before to be included in the SQL request...
Yes it is. That's what the
prot function in your 1 line snippet is showing. Do you seriously not know how function application works?
prot($_GET['_unique'])
is quite literally sanitizing it.
Where prot is defined
function prot($hodnota,$max_delka=0) {
$text=mysql_real_escape_string(strip_tags($hodnota));
if ($max_delka!=0) $vystup=substr($text,0,$max_delka);
else $vystup=$text;
return $vystup;
}
You should probably read your own links. The way he's using it seems perfectly safe (although definitely not the way I'd do it), assuming you don't intentionally shoot yourself in the foot by changing the db's character set.
--
I couldn't be bothered to read the rest of your accusation, as I feel quite embarrassed to just trying to read PHP. But frankly this looks very poorly on you. I suspect you don't have his permission to be sharing the source, and there were no quality guarantees offered. And it's rather clear you are struggling to understand some pretty straight forward things...