开发者

Using $_GET to Pass Member id

Im having a problem when trying to create a member login system where each user is directed to their own editable profile. I'm at the login stage right now, and trying to pass the user's id securely from the login page to their profile page so that I can display their profile information.

Right now, I am being redirected to 'mydomain.com/index.php开发者_Python百科?test=Resource%20id%20#8', (I want, for example 'mydomain.com/index.php?test=1111') after this chunk of code:

$user_id = mysql_query("SELECT `id` FROM `users` WHERE `username` = '$user' AND `active`='1'");  
header("location: profile.php?test='$user_id'");
exit();

where $user has been sanitized using trim, htmlspecialchars, and mysql_real_escape_string. After the user arrives at 'profile.php,' I am planning on implementing something like this after I can figure out how to properly pass the user id:

$user_id=(int)$_GET['$user_id'];
mysql_real_escape_string($user_id);
if (isset($user_id)) {
   $user_id = preg_replace('#[^0-9]#i', '', $user_id); // filter everything but numbers

There is more to the code, but I believe I have included all relevant information. Any advice, wisdom, thoughts, and comments are always very much appreciated. Thank you very much for your support.


You cannot query and get the result right away.

Try to fix above part as like this.

$user_id = mysql_query("SELECT `id` FROM `users` WHERE `username` = '$user' AND `active`='1'");
$user_id = mysql_result($user_id, 0, 'id');  
header("location: profile.php?test='$user_id'");
exit();


Your code is terrible.

  1. isset is pointless, $user_id is always set there.
  2. preg_replace is pointless - after (int) only numbers will be in variable
  3. mysql_real_escape_string is pointless - after (int) there will be no bad characters

So replace that whole block with single line

$user_id = isset($_GET['user_id']) ? (int)$_GET['user_id'] : 0;
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜