Are you having problems with

greg — Fri, 05 Jun 2009 18:01:00 +0000

Are you having problems with it? Errors? Or just wanting to know best procedure?

At a "quick" glance it looks ok for functionality, but doesn't have any security or validation checking.

You DO need a minimum of mysql_real_escape_string() before using any vars on a query:

<?php
$username = mysql_real_escape_string($username); //<-- This before the following query
$sql = "select * from users where username = '$username' ";
?>

And if names are only EVER alphanumeric you could perhaps check this too:

<?php
if (ereg('[^a-zA-Z0-9]', $username)) {
exit('Bad username');
}
?>

That checks if the string ($username) has anything in it other than alphanumeric. The exit() will halt the script and output the text.
You likely want to do something other than exit, but certainly if the data is not what you expected then DON'T run the QUERY.

Even if it's not publicly available, you might one day enter bad data yourself, bad data/error on the first page (etc).

That wont exit if the string ($username) is empty/null, so you probably want to check for that as well and output a different response, and again, don't run the query if empty.

Also, is this publicly available?

On firstpage.php, everything

teammatt3 — Fri, 05 Jun 2009 17:39:00 +0000

On firstpage.php, everything looks ok. But depending on what you allow for a username, you may want to urlencode the username inside the a tag. For example:

<?php
printf("<a href='secondpage.php?username=%s'>%s</a>"."<br/>",urlencode($row['username']),$row['username']);
?>

If your username had an =, &, or other special characters, it might screw something up.

On your secondpage.php, you would need to decode the username (that you previously encoded). But you also have a SQL injection vulnerability. You need to sanitize your input using mysql_real_escape_string() before passing parameters into a query. But you can't use it until your have a connection to the database setup, so you need to reorder your code:

<?php
// Connects to the database - must do this before calling mysql_real_escape_string()
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());

// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = urldecode($_GET['username']);
    $username = mysql_real_escape_string($username); // escape dangerous characters
}
?>