-1

How do I display the information data using the ID in the url

example is www.thatsite.com/?id=1092

and it will display the data of the 1092 ID

<?php    
    $connect = mysqli_connect("localhost", "xxxxxxx", "xxxx","xxxx");
    $query = "SELECT `name`, `age`, `xxxxx` , `xxxxx`, `image` FROM `profiles` WHERE `id` = $id LIMIT 1";
    $id=$_GET['id'];
    $result = mysqli_query($connect, $query,$id);
      while ($row = mysqli_fetch_array($result))
      {
        echo $row['name'];
        echo $row['xxxx'];x
        echo $row['age'];
        echo $row['xxxxxxx'];
        echo $row['image'];
      }  
?>
A Honey Bustard
  • 3,433
  • 2
  • 22
  • 38

2 Answers2

1

Your code is full of security holes. It is prone to sql injection, xss attack, csrf, html injection.

I have re-written it to circumvent all the issues.

1.) Sql Injection is now mitigated using prepare queries

2.) Html injection is mitigated using intval for integer variables and strip_tags for strings. you can read more about data validations and sanitization in php to see more options available

3.) xss attack has been mitigated via htmlentities(). you can also use htmlspecialchars(). Read more about all this things

see better secured codes below

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "ur dbname";

// Create connection
$connect = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($connect->connect_error) {
    die("Connection failed: " . $connect->connect_error);
}

// ensure that the Id is integer using intval
$id = intval($_GET["id"]);

// if id is a string. you can strip all html elements using strip_tags
//$id = strip_tags($_GET["id"]);

//Avoid sql injection using prepared statement

// prepare and bind

$stmt = $connect->prepare("SELECT name, age , xxxxx, image FROM profiles WHERE id = ? LIMIT 1");

// id is integer or number use i parameter
$stmt->bind_param("i", $id);

// id is integer or number use s parameter
//$stmt->bind_param("s", $id);

$stmt->execute();
$stmt -> store_result(); 
$stmt -> bind_result($name, $age, $xxxxx, $image); 
while ($stmt -> fetch()) { 

// ensure that xss attack is not possible using htmlentities
    echo "your Name: .htmlentities($name). <br>"; 
    echo "your age: .htmlentities($age). <br>"; 
    echo "your xxxxx: .htmlentities($). <br>"; 
    echo "your image name: .htmlentities($image). <br>"; 

}


$stmt->close();
$connect->close();
?>
Nancy Moore
  • 2,322
  • 2
  • 21
  • 38
  • It is a very bad idea to use `die($connect->connect_error);` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman Oct 06 '19 at 14:16
  • Yes I know that. Its just for debuging and testing purposes. the rules is to disable and remove all error notices in production. am aware of that. thanks for pointing out – Nancy Moore Oct 06 '19 at 14:25
  • You could simply replace it with `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` since it is not clear it was meant for debugging only. The error reporting can be switched on in production. – Dharman Oct 06 '19 at 14:26
0

from https://www.w3schools.com/php/php_mysql_select.asp

leave out the 'get id', the id is in the SQL:

$id=$_GET['id'];

The similar example at https://www.w3schools.com/php/php_mysql_select.asp

$servername = "localhost";
$username = "";
$password = "";
$dbname = "";

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

$sql = "SELECT id, firstname, lastname FROM MyGuests";
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
    // output data of each row
    while($row = mysqli_fetch_assoc($result)) {
        echo "id: " . $row["id"]. " - Name: " . $row["firstname"]. " " . $row["lastname"]. "<br>";
    }
} else {

    echo "0 results";
}

mysqli_close($conn);
Joe McKenna
  • 135
  • 5