Jump to content
Larry Ullman's Book Forums

Using $_Get['Id'] For A Query


Recommended Posts

Finished all scripts in book...participated in Boston PHP http://www.meetup.com/bostonphp/events/130131632/    ...great book and great self study....I think i rmeber reading about this but not sure......

 

when using $_GET['id'] in a mysql query...ie..WHERE user_id(primary key)= $_GET[id']...is this good practice?..or should I create another id in db specifically for  a query..?

Link to comment
Share on other sites

Thank for the quick response....I was trying to type short hand to keep the ? brief......What i meant was...should I create another column strictly for use in $_GET['query_id'] querys.... My concern is that the primary key would display in the url......Its just that for some reason and I may be wrong... I remeber reading something about this....Thank you

Link to comment
Share on other sites

Yes thank you..I have a primary key....I using primary key in url....in  a link.....ie.....edit_user.php?user_id=1..."1" being the primary key.......I am using scripts similiar to scripts 10.1 & 10.3..edit use.....I think what I  was trying to remember was not to use the column name in the url..ie in this case do not use edit_user.php?user_id=1..use a generic name ie edit_user.php?genericname=1....read it somewhere not sure where...thank you for your help

Link to comment
Share on other sites

Oh, okay. I see what you're saying.

Perhaps the recommendation to not use the column name is simply related to the fact that the less users know about your DB design, the better.

All the same, I can't imagine it being an issue in this case, so long as you verify who users are and make sure they are not viewing information they should not be able to.

Link to comment
Share on other sites

Hey Duke. Thanks for the nice words and kudos on doing PHP Percolate! 

 

Adding to what HartleySan said, the rule I would go with is: is it a problem if the user changes, say, 10, to 11? If the X refers to a page of content, then the user just accessed another page of content, which presumably they could through a link somewhere anyway. If it's an administrator, then they're just viewing record X instead of Y, which again they could probably get to honestly in other ways.

 

But if it's a user viewing their own personal info (say, an update profile page), being able to change X to Y would be bad. 

 

Presumably, pages would have checks in place to limit access, but one can never be too careful.

 

Keep in mind this also applies to cookies, which are easily hackable.

Link to comment
Share on other sites

 Share

×
×
  • Create New...