Is displaying data via session-value a bad practice in PHP

Question

I am wondering if this is a bad practice and if there is a better solution(since there always is!)

My PHP app has a login that stores the user id/user name/etc in a session, then i create a var in my function like so;

         //Example user_id: AbCe3496cdA51
     $sessionSelectCustomer = $_SESSION['user_id'];

and im using this var to connect with the database and retrieve results based on the user_id:

$result = mysqli_query($con, "SELECT * FROM customer WHERE managed_by = '$sessionSelectCustomer'");

I don't know if this is vulnerable to SQL attacks since my knowledge of how sessions work is pretty limited but just looking over my code it is very likely it is if a user can change the session value user_id, adding to that would someone be able to physically change the user_id once logged in to another users and pull the new data from the database?

that's a fairly standard approach - session variables are saved on the server, not the clients machine — , Jun 15 '15 at 21:59
Possible duplicate of [PHP Session Fixation / Hijacking](http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking) — Spade, Jun 07 '16 at 18:23

score 1 · Accepted Answer · edited May 23 '17 at 11:58

1

There is no problem using the session variables the way you are doing it.

BUT there are another problems regarding general session's security. This has already been discussed here. You should take a look at it.

edited May 23 '17 at 11:58

Community

1
1

answered Jun 15 '15 at 22:05

Alvaro Flaño Larrondo

5,516
2
27
46

Is displaying data via session-value a bad practice in PHP

1 Answers1