TharinduLucky TharinduLucky - 6 months ago 13
PHP Question

Is it safe to show user IDs in the profile URL?

In my website, there's a user's profile page. What I have currently doing is just pass the user

ID
via a
GET
request and use it to query the user's details.

So, the user profile URL is like this...

http://www.example.com/user.php?id=345


So, my problem is that, is it safe to show this user's ID (Primary key of the user table) in the URL so, that anyone can see it... ?

Answer

It's normal.

But I would suggest you to have a form validation to prevent SQL Injection. Never trust what users give to you

I'd use that kind of expression, but additionally

if (!preg_match('/^[0-9]+$/', $_GET['id']))  { 
    echo 'ID disallowed.';
}

or have a digits limitation (matches 1 to 999999)

if (!preg_match('/^[0-9]{1,6}$/', $_GET['id']))  {
    echo 'ID disallowed.';
} 
Comments