0

This is my first attempt at making something simple with php and mysql. I basically just learned enough of the basics to modify some example code and make it work for my data as I am not a professional programmer.

First, here is the simple code I am working with:

<?php
$db = mysqli_connect('localhost','root','mypass','test') or die("Error connecting to database: ".mysqli_error());
?>

<?php
$query = $_GET['query']; 
$query2 = $_GET['query2'];

$min_length = 3;

if(strlen($query) >= $min_length && (strlen($query2) >= $min_length)){ 

    $query = htmlspecialchars($query); 

    $query = mysqli_real_escape_string($db, $query);

    $raw_results = mysqli_query($db, "SELECT * FROM hope
        WHERE (`name` LIKE '%".$query."%') AND (`boop` LIKE '%".$query2."%')") or die(mysqli_error($db));

    if(mysqli_num_rows($raw_results) > 0){ // if one or more rows are returned do following

        while($results = mysqli_fetch_array($raw_results)){

            echo "<p><h3>".$results['name']."</h3>".$results['boop']."</p>";

        }

    }
    else{ // if there is no matching rows do following
        echo "No results";
    }

}
else{ // if query length is less than minimum
    echo "Minimum length is ".$min_length;
}
?>

What I am trying to accomplish is that I have a database of users with their name and a unique ID code as unique personal information, and they have a list of points left in their account. What I want is for them to be enter two pieces of unique (but not sensitive) information such as their ID number and last name, and be able to retrieve the number of available points in their account. At the moment the code doesn't reflect all the data in my plan, but with it I am able to do a lookup where two pieces of information must be correct in order to display a result.

My main concern is that I am missing something regarding security. The information available in the database is not very sensitive. Last names are commonly used, and the unique ID number holds little value even if known by another person. At worst, if another user is able to match up someone else's last name with their ID number they'd be able to lookup how many points are left in their account which, again, holds very little value.

Am I correct in this line of thinking? Or should I try to implement something more secure and complicated for this project? I appreciate any help.

autobulb
  • 1
  • 1
  • 1
    What is your concern right now, to get the points or security? – Suhail Akhtar Jul 03 '18 at 04:37
  • This sample code is messed up. Don't use anything from wherever you got it. Whomever wrote it doesn't know what they're doing. See also: https://stackoverflow.com/a/7810880/362536 – Brad Jul 03 '18 at 04:45

1 Answers1

0

You are correct in that users will be able to access other users' information, so it's up to you whether you will be storing any sensitive user information that will later be accessible between users. If so, you would just implement some basic user registration functionality/security, which if you're a beginner programmer you'll want to look into that eventually anyway.

JayDP123
  • 71
  • 7
  • Well, the reason I went this route is that I want to users to be able to access their information quickly and without registering. They already need to register an account to make a reservation in our booking system, and they need to register an account with an online payment service if they want to pay by credit over the internet. Creating yet another username and pass they need to manage would be a big roadblock I think. – autobulb Jul 03 '18 at 05:03
  • So long as you don't expose any users' sensitive information, and don't provide a way for a user to update another user's point balance (or other details), it should be fine. – JayDP123 Jul 03 '18 at 17:31