Members profile

[Boxerman]

Hi guys,

 

Im trying to get my members_profile.php to display the users profile....

 

I.e members_profile.php?boxerman will display my information.

 

I've been at it for hours but no luck...

 

This is what im trying to code:

 

<?php
include ("connect.php")

$username = $_GET['username'];
$user = mysql_query("SELECT * FROM user WHERE username = '$username'");
$user=mysql_fetch_assoc($user);

echo "<h1>User Info</h1>";

echo "<b>Username:".$user['username']."<br>";

echo "<br>";
  echo '<form name="backlistfrm" method="post" action="members.php">';
echo '<input type="submit" value="Back to The List">';
echo '</form>';
echo "<br>";

?>

 

It displays nothing when going to members_profile.php?boxerman

 

Any advice as to why?

 

Regards,

 

B-Man

[Fadion]

Because the url doesn't contain any "username" parameter in the query string. Instead it contains a "boxerman" parameter.

 

It should be: members_profile.php?username=boxerman

[anupamsaha]

Also, if you still want to use the querystring without a variable like "username", try this:

$username = $_SERVER['QUERY_STRING'];

 

But, it would be ideal to have the querystring passed as variable=value format. It will be easier for you to collect all the querystring variables through $_GET['variable'].

 

BTW, your code is open to hack.

$user = mysql_query("SELECT * FROM user WHERE username = '$username'");

 

If I pass the querystring as:

1';DELETE FROM users WHERE '1'='1

 

The query will become

$user = mysql_query("SELECT * FROM user WHERE username = '1'; DELETE FROM users WHERE '1'='1'");

 

So, you can see a hacker can blow your database by executing multiple queries through your code. Please sanitize querystring or user input before using it into a script. This means, check for the value and its format and accept only those which are safe for the system.

 

Hope it helps you!