In php, is using sessions to fetch user info from mysql database safe?

Question

In php, is using sessions to fetch user info from mysql database safe? or can the sessions be manipulated by users.

Lets look at the following query as an example.

$query = $this->db->query("SELECT `private_info` FROM users 
                           WHERE user_id='$_SESSION['user_id']'");

If I logged into a website, and my user id was stored in a SESSION, (eg .$_SESSION['user_id'] = 22), can this $_SESSION['user_id'] be manipulated by the user? (eg changing $_SESSION['user_id'] to 100, which is another user's ID).

The php query above is dependent on session[user_id] when fetching user info. Can users manipulate sessions? If they can, what are some alternative that can be used, rather than fetching user info using user_ids stored in sessions?

Also, Im using codeigniter for reference.

Thanks

Session are safe against such changes, they reside on the server. The cookie can be manipulated because they work on client side. You can continue using SESSION. — Abhishek, Jun 14 '18 at 09:46
**WARNING**: Whenever possible use **prepared statements** to avoid injecting arbitrary data in your queries and creating [SQL injection bugs](http://bobby-tables.com/). These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. — tadman, Jun 14 '18 at 09:47

In php, is using sessions to fetch user info from mysql database safe?

0 Answers0