开发者

Move mysql Information from one page to another in PHP

I have the following code in view.php, I would like to take the information to edit.php without compromising on security or show what is contained in the variables. edit.php has a form to edit the information 开发者_StackOverflow中文版from the database.

    while ($row = mysql_fetch_assoc($result))
    {
        echo "<a href=\"edit_employee.php?$row[employee_id_passport]\">" . $row['first_name'] ." " . $row['surname'] . "</a>";

        echo "<br />";
    }


You are already compromising in security - see SQL injection and escaping strings.

Also, it is common practice to include other modules of the application by requiring (see require_once() and require() functions) files. It itself is not a security vulnerability, but indeed encloses all the global variables, functions and classes to that script.

If you really need that, you can unset (see unset()) all the variables you have set, but leave only data you want to be passed.

Learn how to write clean and secure code and it will be secure. Including one PHP file into another is not an insecure practice.

EDIT:

Some start may be creating classes with private or protected properties and public methods, then using them to store sensitive information and execute some actions. By using encapsulation you may achieve what you need.


You should allow only logged in users to see or edit that information, also you might get an SQL injection with:

 $first_name = $_POST['first_name'];
 $sql_query = "SELECT  * FROM employee_master  WHERE first_name = '$first_name'";
 $result = mysql_query($sql_query, $connection);

You should have instead:

 $first_name = mysql_real_escape_string( $_POST['first_name']);
 $sql_query = "SELECT  * FROM employee_master  WHERE first_name = '$first_name'";
 $result = mysql_query($sql_query, $connection);


The best way to do this would be(assuming you cant do anything else other than to use a standard anchor link to pass the variable) have an md5 of id of each of your record in the table. So that you can do

while($row = mysql_fetch_assoc($res))
{
echo "<a href=\"edit_employee.php?chksum=$row['md5']\">" . $row['first_name'] ." $row['surname'] . "</a>";
}

now in edit.php retrieve this and compare it with the hash.

An even more secured way would be to concatenate the id of the record with another unique data such as join date or dob and hash the entire string. It would be highly secure that way.


Option 1: Just past the id from the database via your link. If user knows the id, but doesn't know any other information, than it's useless to it. Using something else will just bring few more code lines.

Option 2: Set user's id in SESSION


$first_name = mysql_real_escape_string( $_POST['first_name']);

session_start();
$_SESSION['loggedin'] = true;
$_SESSION['first_name'] = $first_name;

Then to set other values from the database as session variables, e.g. the user's surname:

$_SESSION['surname'] = $row['surname'];

Then from any other page you can do

if ($_SESSION['loggedin'] == true) {
    echo "Welcome $_SESSION['first_name'] $_SESSION['surname']!";
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜