-1

I'd like to use a the session id to update a specific entry in my database (as foreign key).

Session id:

$_SESSION['id'] = '1';

PDO

$sql = "UPDATE table_user set f_name = :f_name, l_name = :l_name where id = :id and fk_user = {$_SESSION['id']}";

Is this method safe for manipulation? It seems a little bit weak to me but I never worked with session ids as foreign key. Any suggestions are are very welcome. I'm sorry if this question is bad.

Mr. Potter
  • 85
  • 7
  • There's no problem with doing that. But when it comes to security measures [JSON Web Token](https://jwt.io/introduction/) is my better approach. Because you need to authorize the user on the server-side. – Jesper Martinez May 23 '20 at 14:49

2 Answers2

0

It is not secure.

Why you use parameters for other values and you do not use a parameter for the session id?

$sql = "UPDATE table_user set f_name = :f_name, l_name = :l_name where id = :id and fk_user = :session_id";
Giacomo M
  • 4,450
  • 7
  • 28
  • 57
  • Because I loop through $_POST and $_SESSION is obviously not in there. But how do know which session_id is connected with which user? Or does your `:session_id` is 1? – Mr. Potter May 23 '20 at 14:46
  • 1
    I guess you should study a little bit how sessions work in php – Giacomo M May 23 '20 at 14:47
0

$_SESSION['id'] simply sets a new property id to the provided value, you're not using the session id itself. If you want to get the session id, simply use session_id().

I'm assuming you want this ID to be available for multiple pages, that's why you're saving it in the session and there is nothing wrong with that.

Ali
  • 3,568
  • 2
  • 24
  • 31
  • Thats exactly what I want :). But how do I know which session id is connected with which user? – Mr. Potter May 23 '20 at 14:47
  • each user will have their own session data; when you call `session_start()` it creates the session information. The session identifier is set in the user's cookie on their browser, that's how PHP knows which session is for which user – Ali May 23 '20 at 14:49
  • but I won't be able to use just the id in the statement like `fk_user = :session_id`, right? Do you have a hint how I can solve this? – Mr. Potter May 23 '20 at 14:51
  • that really depends on how you have things set up. You can save that ID when you're creating the session or when a user logs in or any place you want. Once that session data is set, you can read it from any other request *for that specific user* – Ali May 23 '20 at 14:54
  • alright, so I do I have to set it up that it will work as a foreign key? Do you have a link or something? Because I still don't understand how 4372297c77c5c0b897be21adbf789e6f1 for example will work as a foreign key for 1. – Mr. Potter May 23 '20 at 15:00
  • it doesn't, you just need to set `$_SESSION['db_id']=1` or whatever value you want when you create the session, and then you read it as `$_SESSION['db_id']` from any other request. – Ali May 23 '20 at 15:05
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/214483/discussion-between-mr-potter-and-ali). – Mr. Potter May 23 '20 at 15:14
  • I just moved our discussion to chat :). – Mr. Potter May 23 '20 at 15:46