The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once



UserSpice
Get user id in links - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: Get user id in links (/showthread.php?tid=392)



Get user id in links - meetmec12 - 12-15-2016

Hi ,I want to knw the secure way to use user Id in my link. I have a new page that queries a table with fields id, name ,section . I want to create a link that displays name value in database where user id =$id thanks



Get user id in links - mudmin - 12-15-2016

Hmm. I guess it depends on your definition of secure.

Will the user be able to visit that page whether logged in or logged out? If that's the case, it will never "really" be secure because anyone with that link will have the info on the page.

I feel like the better way to do it is to just have the query performed by the logged in user. So when they visit the page, it would just be

Code:
$query = $db=>query("SELECT * FROM tablename WHERE id = ?",arrray($user->data()->id));
Code:
$result = $query->first();

You really only want to pass things through the url that anyone should be welcomed to change.

Take a look at our profile system. The "edit profile" button when you're logged into your account takes your id straight from the fact that you're logged in. The view profile button, puts the urls in the link and if you change it, you'll just see a different profile...and that's ok because it's public information.

If you want an insecure, but better secured (what they would call security through obscurity), way to do it, use the vericode field in the users table. (A vericode is a random 6 digit number from 100000-999999 that's given to a user when they sign up).

So make your link concatenating like
Code:
<a href="http://www.mysite.com/mypage.php?vc=<?=$user->data()->vericode?>">Visit your page</a>
Then at the top of the page do something like

Code:
$vc = Input::get('vc');
Code:
$query = $db=>query("SELECT * FROM users WHERE vericode = ?",arrray($vc));
Code:
$vcode = $query->first();
Code:
$query2 = $db=>query("SELECT * FROM tablename WHERE id = ?",arrray($vcode->id));
Code:
$result = $query2->first();

Just know that if a user changes their password, their vericode will change. If that doesn't work, then you'll probably want to create some sort of other random (and probably longer) to identify each user. But still, if anyone has the link, they will be able to view the info. The only thing that does is makes it harder for people to go into the url bar and "guess."