Geek Answers Handbook

Is this bad using $ _SESSION ['id'] in queries?

When a user logs in, he gets $_SESSION['id'] , and he becomes his identifier taken from the mysql table. Then I execute mysql queries, for example SELECT * FROM members WHERE member_id = {$_SESSION['id']} .

So is it safe? Can $ _SESSION ['id'] disappear, or can a hacker somehow edit it?

Thanks.

+7
source share
7 answers

I would say that it is always useful to create a query simply by inserting or concatenating variables. Instead, you should use a Prepared expression , which guarantees protection against attacks such as SQL Injection. IMHO, they also make the code better.

+6
source

In theory, there is no way that clients can influence the $ _SESSION array; beacuse session data is stored on the server. But in practice, never trust this, because a hacker can use another security hole and the $ _SESSION ['id'] substring with something bad.

Do this before entering id in your request:

 $_SESSION['id'] = intval($_SESSION['id']);
+2
source 
 <?php $stmt = mysqli_prepare($con, "SELECT Name FROM members WHERE member_id = ? LIMIT 1"); mysqli_stmt_bind_param($stmt, "s", $_SESSION['id']); mysqli_stmt_execute($stmt); mysqli_stmt_bind_result($stmt, $name); mysqli_stmt_fetch($stmt); mysqli_stmt_close($stmt); echo 'name is '.$name; ?>
0
source

You are right to be suspect because the header headers are under user control.

You create a valid identifier, but I can interfere with it, for example by setting my $ _SESSION ['id'] to 1234 OR 1==1 and that (theoretically) will return all user entries if you do not sanitize this variable.

It is normal to accept user data, but always check it. Set it to a temporary variable, then run something like preg_replace("[^A-Za-z0-9]", "", $_SESSION['id']) to remove any letters that do not contain alphanumeric characters . This alone is not enough, but it is a step towards safer user input and from the so-called "SQL injection".

0
source

As already mentioned, you should never assume type safety. Not because someone can hack you, but also because you can make a mistake or the person who set up your server. Since PHP sessions can be stored on the file system (by default), they can be stored in Memcache or you can write your own session storage handler (saving sessions in db). Let's say that an error occurred - you saved the sessions in the database, you faked the dB, and you changed the value by mistake to something else, and instead of integers (or floating-point types) you get strings with commas, and what not - which do not match your request above - and voila, you get errors. No one likes to get errors and read error descriptions - especially not your users.

So, to answer your question - it is bad to TRUST anyone. Never trust a foreign entry, always no more than one point of failure - clear your entry for security, whether it be _POST, _GET, _SESSION or something else.

0
source

always thinking badly. To think if some kind of variable is safe or not.
You are a programmer. Let you program, think about such trifles and turn to something more interesting.

-one
source

What is and is not in $_SESSION is basically under your control. Besides using some advanced materials, such as hacking the server and editing temporary PHP storage files, the browser has no control over this.

Almost every authentication depends on setting some variable in the SESSION array to track the current user. This can be considered safe. As long as you avoid special control over the browser with statements such as:

 $_SESSION['id'] = $_POST['id']

or the like.

However, the rest of the answers that never build database queries when strings are concatenated are valid. It’s good practice to always run things through mysql_real_escape_string() , therefore, as a good programmer, you use a function / wrapper class that automates this for you, so you will never go wrong.

-one
source

More articles:


All Articles