I have a php page which does an insert and then does a redirect to a "success" page which displays the order details. I am redirecting by using a variable, but I am thinking this is not so secure:
This generates a url like this:
I am then using the URL to obtain the order ID number and doing a query based off of that to present the order details:
$getName = explode('?id=', $_SERVER['REQUEST_URI']); $id = $getName; $query = <<<SQL SELECT * FROM `order` WHERE `orderid` = ?; SQL; $request = $mysqli->prepare($query); $request->bind_param("i", $id); $request->execute();
The obvious issue is that anyone could simply change the URL id number to get the details of a different order number. I'm not too terribly concerned as this is strictly an internal site, but I'd still like to fix this behavior. Is there a better, more secure way to do this?