-3

I just made part of a userprofile script and I don't know how to display username in title. Please help here is the code:

    <?php
    require_once('sp/conn.php');
    $page_title = $get;
     require_once('sp/head.php');
     require_once('sp/userbar.php');
    $get = $_GET['name'];

        $query = "SELECT id,username from user_info where username = '$get'";

  $data = mysqli_query($dbc, $query);

  if (mysqli_num_rows($data) == 1) {

    // The user row was found so display the user data
    $row = mysqli_fetch_array($data);


     $img_id = $row['id'];
?>

    <body>
        <div id="main">
            <div id="user_lvl_avatar_bar">
                <img src="img/ava/<?php echo $row['id'];?>" class="ava" /><font id="username"><?php echo $row['username']; ?></font>
            </div><br />
            <span id="left_user_notif_bar">

            </span>
            <span id="right_user_notif_bar">

            </span>
            <?php
                } else {
                    $error_msg = "<div id=\"main\"><div id=\"red_field\">ERROR : Username doesn't exists.</div></div>";
                    echo $error_msg;
                }
            ?>
        </div>
    </body>
</html>

Sorry for the ugly code I didn't understood how to fix this here in Stackoverflow

Tamil Selvan C
  • 19,913
  • 12
  • 49
  • 70
Puru Vijay
  • 109
  • 1
  • 3
  • 12
  • put this line in top of the php `$get = $_GET['name'];` – Tamil Selvan C Nov 08 '15 at 13:59
  • 2
    Your code is open to [SQL injection](http://www.bobby-tables.com/) – Machavity Nov 08 '15 at 14:00
  • @Machavity its a userprofile not a form there can't be any injection – Puru Vijay Nov 08 '15 at 14:10
  • 1
    @PuruVijay there is an injection via `$_GET` as you cannot guarantee what's inside. Just changing the `?name=..` in address bar. In general you should sanitize any input values you put into an SQL query. – jso Nov 08 '15 at 14:13
  • So if I access `yourpage.php?name=;drop%20table%20user_info` what do you think will happen? – Machavity Nov 08 '15 at 19:22
  • Nothing happpend(cuz I already used mysqli_real_escape_string and trim) – Puru Vijay Nov 08 '15 at 20:04
  • @PuruVijay You may have used `mysqli_real_escape_string` when you `INSERT`ed the data, but you need it for the `SELECT` query too. Currently your query can be exploited to extract your entire database. – Boann Nov 08 '15 at 23:10

1 Answers1

0

You have the the lines in incorrect order, assigning $page_title before $get is set.

<?php
require_once('sp/conn.php');
require_once('sp/head.php');
require_once('sp/userbar.php');

$get = $_GET['name'];
$page_title = $get;

Note that your code is prone to SQL injection, see: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
jso
  • 484
  • 5
  • 13