php variables set thru address bar
Posted: Sat Oct 04, 2003 5:01 pm
I was making a user system and then I realized while coding a page to view a users profile, you can set any variables thru the browser. So I went to the edit profile page and made my url:
editpro.php?username="rob"
Username is usually set by a session variable but it has to be passed into other variables so it works with SQL. This is pretty insecure, it edited my profile while I was logged into my test account.
So does this mean if I have a variable like $SQL = MYSQL_QUERY(query); somebody could edit that and do anything they want with mySQL? Please respond and tell me what I can do to provent these things from happening.
editpro.php?username="rob"
Username is usually set by a session variable but it has to be passed into other variables so it works with SQL. This is pretty insecure, it edited my profile while I was logged into my test account.
So does this mean if I have a variable like $SQL = MYSQL_QUERY(query); somebody could edit that and do anything they want with mySQL? Please respond and tell me what I can do to provent these things from happening.