TharinduLucky TharinduLucky - 5 months ago 9x
PHP Question

Is it safe to show user IDs in the profile URL?

In my website, there's a user's profile page. What I have currently doing is just pass the user

via a
request and use it to query the user's details.

So, the user profile URL is like this...

So, my problem is that, is it safe to show this user's ID (Primary key of the user table) in the URL so, that anyone can see it... ?


It's normal.

But I would suggest you to have a form validation to prevent SQL Injection. Never trust what users give to you

I'd use that kind of expression, but additionally

if (!preg_match('/^[0-9]+$/', $_GET['id']))  { 
    echo 'ID disallowed.';

or have a digits limitation (matches 1 to 999999)

if (!preg_match('/^[0-9]{1,6}$/', $_GET['id']))  {
    echo 'ID disallowed.';