php search database for row

Question

Okay I got code the code to pull data based on a users account number

well here is what im using (And yes I know it isnt safe now that is the reason for my post)

<?php

include('config.php');

$user_info = fetch_user_info($_GET['AccountNumber']);

?>
<html>
<body>
<div>
<?php
if ($user_info === false){
$Output = 'http://www.MyDomain.Com/';
echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$Output.'">';
}else{
?>
<center>
<title><?php echo $user_info['FirstName'], ' ', $user_info['LastName'], ' - ',     $user_info['City'], ', ', $user_info['State']; ?> - Name of site</title>

So basically what this code is allowing me to do is have a file called Profile.php And when a user visits this page it will return the data.

Like this http://MyDomain.com/Profile.php?AccountNumber=50b9c965b7c3b

How can I do this securely cause right now its using a get method really unsafe to retrieve the account number from the url bar.

Answer 1

Are you coming from another page which should POST the data instead of GET?

It isn't terribly dangerous to get the information from the GET. You just have to make sure you escape the value with mysql_real_escape_string() , so something like:

$user_info = fetch_user_info(mysql_real_escape_string($_GET['AccountNumber']));

That will protect you against SQL injection attacks. Even better would be to use prepared statements and PDO .

We can't tell exactly what query or queries you are running right now, because all of that logic is hidden behind fetch_user_info, which you didn't include the source for. If you include that code, we could help secure it a bit more possibly.

Answer 2

If you only want to show the current users profile, you should store the users id or account number in the session when the user logs in. Then on your profile page retrieve the account number from the session and display the details. If there is no active session, then you can redirect the user to the login page.