Menu
I log in a user, and in my PHP script, I make a session variable and assign username to it (as it is unique).
<?php
session_start();
//$username= getting username from database and all after loggin
$_SESSION['user_of_mywebsie']=$username;
// using $username now
Now is this the right and safe way? If not, what can be done? Now session is created with username in it ..
$sql_query=mysql_query("SELECT * FROM people WHERE username='$_SESSION['user_of_mywebsite']'");
while($row=mysql_fetch_assoc($sql_query))
{
$name=$row['name'];
$profile_pic=$row['pro_pic_location'];
}
//now i will use $name and $profile_pic furthur
952
No not correct. Your code is vulnerable to SQL injection. What if my username is something like Robert'); DROP TABLE Students;--?
You should really at the very minimum escape the data or even better use prepared statements and bound parameters.
How can I prevent SQL injection in PHP?
Also you are using a deprecated database API. Either use mysqli_* or PDO.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
