Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
when a user is trying to set the id value through url in php ?id=2 how can i check that if the id value entered through url is created by the current logged user than edit it or through error something.l
$id = $_GET['id'];
$editQuery = "SELECT * from `students` where id = '$id' ";
$queryExecute = mysqli_query($conn, $editQuery);
$fetchRow = mysqli_num_rows($queryExecute);
if($fetchRow > 0){
$students = mysqli_fetch_assoc($queryExecute);
}
@shivamyadav You can try this:
$student = Student::findOrFail($_GET['id']);
if ($student->user_id !== auth()->id()) {
// throw an exception or return an error message
throw new Exception("Unauthorized");
}
I am using laravel eloquent instead of mysqli query.
It is completely insecure, an injection attack waiting to happen. All anyone has to do is go to the URL and append something like ?id=2'; delete table users, and your entire users table would be deleted.
Apart from that, your question is quite broad, and for some reason is using plain PHP instead of Laravel (this is a Laravel forum, after all). What you’re trying to do is fairly simple to achieve in Laravel because a lot of the necessary scaffolding required is already done for you; doing it in plain PHP isn’t difficult, but it requires a bit more legwork.
@kokoshneta as u said that it is a insecure, I have used this function mysqli_real_escape_string() to avoid sql injection then how a user can attack with it , see the proof here ..
in the url i have typed the query and pressed the enter to execute https://paste.pics/20ef61b4728f496a2ad2b5772dafc9f0 and after pressing the enter button i got this error ...
see here https://paste.pics/84f3bc08c5dcd0fd44a23179f1111650
@Shivamyadav Using mysqli_real_escape_string() should do it, but even better is using prepared statements. Your screenshot doesn’t show the full query as executed, so I can’t see what’s actually gone wrong, but you’re missing the single quotes, which are what make the injection attack and injection attack. Try copy-pasting this instead:
?id=26%27%27%3Bdelete+from+users%3B
And why are you using the procedural functions at all? Using an object-oriented API (mysqli or PDO, most people preferring the latter) is so much easier and makes for clearer code. It also makes it much easier to deal with prepared statements, which are always safer and superior to just escaping the query string.
@shivamyadav your code only checks if the id value exists in the students table and fetches the associated record. To check if the id value was created by the current logged-in user, you can add:
$user_id = $_SESSION['user_id']; // never use $_GET for logged in ids!
$editQuery = "SELECT * from `students` where id = '$id' AND created_by = '$user_id' ";
$queryExecute = mysqli_query($conn, $editQuery);
$fetchRow = mysqli_num_rows($queryExecute);
if($fetchRow > 0){
$students = mysqli_fetch_assoc($queryExecute);
} else {
// throw an error or redirect to a different page
echo "Error: You are not authorized to edit this record.";
exit;
}
Assuming you have a created_by column in the students table and a user_id value stored in the $_SESSION variable for the current logged-in user.
ALSO, be careful about SQL injection, you should do your own research. This is the place.
Please or to participate in this conversation.