Profile page PHP

Question

I seem to experiencing difficulty taking the id from the user on profile.php.

profile.php PHP:

<?php
session_start();
require 'include/connect.php';
if(!$_SESSION['key']){
   header('Location: login.php');
}
$uid = $_GET['id'];
$sql = "SELECT * FROM users WHERE id = '$uid'";
$query = mysql_query($sql);
while($row = mysql_fetch_array($query)){
   $user = $row['username'];
}
?>

As you see, when you add to the url with get data (EX:profile.php?id=3) you visit the appropriate user's profile; however I want to take the id of the user and extract their information from the database so they view their own profile upon going to profile.php.(without adding a GET extension)

Question: What method can I use to query using the user's id #? And also, do I need to store a session for this.

Does the session 'key' let you identify the currently logged in user? — Luke, Jul 19 '15 at 12:35
No, it is only representing whether or not the user is actually logged in or not. So I can change pages relevantly, if a user is logged in or not. Should I make this session an identifier also for the user's id? — Eugene Stamp, Jul 19 '15 at 12:37
you can add user id in session 'key' and query with the help of that 'key' to view profile.php — Drudge Rajen, Jul 19 '15 at 12:41
yes you should and please do not run while loop, while loop means you are fetching all the records which match the WHERE clause and i m sure you don't wana show all profiles to one user — Shehary, Jul 19 '15 at 12:42
You have SQL injection problems. Also, the `mysql_*` library functions are deprecated. You need to use MySQLi or PDO and use prepared statements. — elixenide, Jul 19 '15 at 12:42
this is also a bad approach `profile.php?id=3`, i can direclty access your page with an id lets say `profile.php?id=78` and i can see the profile of user with `id=78` and so the list go on — Shehary, Jul 19 '15 at 12:44
Ok thank you - One thing: I have heard this method is unsafe due to session hijacking (Pretending to be another user through session id). Is there a way to crypt or add salts to this key to make it virtually robust. — Eugene Stamp, Jul 19 '15 at 12:44
shehary - What should I be substituting the while loop with? — Eugene Stamp, Jul 19 '15 at 12:45
shehary - Also I have my php code set to only display profiles when logged in. — Eugene Stamp, Jul 19 '15 at 12:46
this `while($row = mysql_fetch_array($query)){` with this `$row = mysql_fetch_array($query);` and remove the closing bracket `}` too — Shehary, Jul 19 '15 at 12:46
@EugeneStamp I'm not saying you haven't set the code to display profile page after login, all i m saying showing id in URL is bad approach, lets say i make and account on your site and logged in n then can you stop me looking at other users profile by just accessing the profile.php with ids — Shehary, Jul 19 '15 at 12:50
@shehary It is possible he wants others to be able to view their profiles. It's very common. Even this website allows it. — Christian, Jul 20 '15 at 09:40

score 1 · Accepted Answer · edited May 23 '17 at 12:29

You'll want to someone save the currently logged in user in the session variables. The simplest way is to add to the session array some key, such as user, where the value is the currently logged in user.

Security points:

The mysql database functions you're using are deprecated. Take a look at PDO (google it, find StackOverflow answers). It's pretty similar, but more secure. Particularly, look at using prepared statements rather than executing strings where you've concatenated the arguments. You're vulnerable to something called SQL injection in this case (your searches will tell you what this is!). Here's a starting point.
Before you get/display data to a user, you should make sure that the person is signed in and is signed is as the appropriate user first. A user shouldn't be able to modify to URL (ie change the $_GET variables) and then edit any profile of any user, for example. Generally, you'd want to show a 404 page for pages that the user shouldn't even know about, and 401s/log in redirects for pages they should potentially know about (such as their own profile page, user control centre, etc) but they aren't logged in.
Session hijacking is a real thing! Check out this for some strategies to mitigate your risk. A lot of it is to do with correct configuration.

Best of luck!

Profile page PHP

1 Answers1