I am wondering if this is a bad practice and if there is a better solution(since there always is!)
My PHP app has a login that stores the user id/user name/etc in a session, then i create a var in my function like so;
//Example user_id: AbCe3496cdA51 $sessionSelectCustomer = $_SESSION['user_id'];
and im using this var to connect with the database and retrieve results based on the user_id:
$result = mysqli_query($con, "SELECT * FROM customer WHERE managed_by = '$sessionSelectCustomer'");
I don't know if this is vulnerable to SQL attacks since my knowledge of how sessions work is pretty limited but just looking over my code it is very likely it is if a user can change the session value user_id, adding to that would someone be able to physically change the user_id once logged in to another users and pull the new data from the database?