consider demo url this:www.example.com/act/yes?user_id=125
i know hacker or other try change digit value in url.
my question how can compare value url 1 of field's value in yes(www.example.com/act/yes) page entries value should displayed in php?
i tried in if condition
if($_get['user_id'] == $result[0]->user_id) { show db values } else { show nothing } where $result= $this->model->edityes($_get['user_id']);
$result contain array containing fields data containing id $_get['user_id'].
all matters in equation value of $_get string sanitized before being passed database. in case user_id seems integer, it's simple as:
$user_id = (isset($_get['user_id']) && is_int($_get['user_id'])) ? $_get['user_id'] : false; if($user_id){ } else { } in above we're checking if user_id param exists (?user_id=) , if it's of type int (a whole number).
meanwhile if using prepared statements, can pass value along , rest easily.
$stmt = $mysqli->prepare('select * users user_id = ?'); $stmt->bind_param('i', $_get['user_id']); $stmt->execute(); in way, allow mysqli driver handle sanitizing of data us, we've told bound parameter $_get['user_id'] must integer well.
Comments
Post a Comment