Cannot select all results from a table depending on another table (relational DB) in PHP and MySQL

Question

I am trying to finish this website I am currently creating, but I am kind of stuck.

I want to create a table called "orders" in my DB. I want this table to be related to my users table so that when the user goes to his "orders.php" page (once logged in already) he sees all his current and previous orders.

These would be my table fields/cols:

id username ordernumber description quantity total

This is my approach:

Whenever a new order is created, insert all the table fields/cols depending on the user's choice (selected stuff for the order), but the username would be the only value gathered from a $_SESSION or $_COOKIE variable, which holds the username. Then, once the user goes to orders.php, I will execute a query to show all the orders that only that username has ordered. Please note that I do sanitize all my input/output and I do not store sensitive data in my cookies. My system is designed so it only uses the session as the method of authentication, therefore you need to login every time you close the browser but that is fine.

1) Is this a safe approach? Do you have any suggestions/comments?

2) Could you help me construct the query?

I haven't really worked with relational databases, so I am kind of lost. How can I call all the orders from table "orders" where username = "username from the session"?

So far I have this:

"SELECT * FROM orders WHERE username = ? " //(Using PDO)

I know that this will work but my concern is in case of getting a session hijacked or something like that, then a user would be able to retrieve any users' orders, or not?

Thank you for explaining this a little bit further and helping me out!

Cheers!

Answer 1

Be careful! Please don't create a plain text cookie containing a human-readable user id (like user2345995 or OllieJones ). It's far too easy for a badguy to fake a cookie like that just by guessing, and then your users' information leaks out.

You're working in php. Therefore you can use php's session mechanism to store your userid and other values. php uses hard-to-guess session ids (SIDs) and stores them in either a cookie or as a sid=1234abcd9875 parameter in URLs.

For the sake of your system's integrity, please read up on this. It's actually a pretty well-designed feature and it's been in the wild for fifteen years or so: it's debugged.

http://php.net/manual/en/session.idpassing.php

If you're using the session system, you basically do this in your first page, your login page.

session_start();
...
$_SESSION['username'] = $username;  /* which you get by logging in */
...

On your order lookup page you do something similar to retrieve the username and use it in a query.

session_start();
...
$orderstmt = $pdoconn->prepare("SELECT * FROM orders WHERE username = :username");
$orderstmt->execute( array(':username' => $_SESSION['username']) );
...
while ($row = $orderstmt->fetch()) {
   /* use the row's data */
}
$orderstmt->closeCursor();