I'm sorry, but where exactly is this code vulnerable to SQL-injection?
Do you guys mean this line:

$sql = 'select friend_id from user_friends where user_id = '.$user_id;

Don't you sanitize your input?
Or am i missing something?