-2
<!-- php code to access user id -->
    <?php 
    $user_ip=getIPAddress();
    $get_user="Select * from `user` where user_ip='$user_ip'";
    $result=mysqli_query($con,$get_user);
    $run_query=mysqli_fetch_array($result);
    $user_id=$run_query['user_id'];
    ?>
    <div class="container">
        <h2 class="text-center text-success">خيارات الدفع</h2>
        <div class="row d-flex justify-content-center align-items-center my-5">
            <div class="col-md-6">
            <a href="https://www.paypal.com" target="_blank"><img src="../images/wwe.png" alt=""></a>
            </div>
            <div class="col-md-6">
            <a class="text-decoration-none" href="order.php?user_id=<?php echo $user_id ?>"><h2 class="text-danger text-center">pay offline</h2></a>
            </div>
        </div>
    </div>
</body>
</html>

When I click pay offline the userid should go to the url but it doesn't work pls i need help

Barmar
  • 669,327
  • 51
  • 454
  • 560
Smerwes
  • 1
  • When you use View Source do you see the user ID in the URL? – Barmar May 31 '22 at 00:20
  • 2
    Welcome to Stack Overflow! Your script is vulnerable to [SQL Injection Attack](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even if [you are escaping variables, its not safe](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string%5D)! You should always use [prepared statements and parameterized queries](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either MYSQLI or PDO instead of concatenating user provided values into the query. – Barmar May 31 '22 at 00:20
  • What does `var_dump($run_query);` show? – Barmar May 31 '22 at 00:21
  • @Barmar does not work – Smerwes May 31 '22 at 00:30
  • 1
    What doesn't work? I didn't provide any solutions, just debugging techniques. – Barmar May 31 '22 at 00:31
  • @User id does not appear in url when use view source – Smerwes May 31 '22 at 00:37
  • Then obviously the problem is that there's no `$run_query['user_id']`. Do you see it in the `var_dump`? – Barmar May 31 '22 at 00:41
  • Get out of the habit of using `SELECT *`. Select just the columns you need, e.g. `SELECT user_id`. – Barmar May 31 '22 at 00:42
  • when use var_dump Get this warning mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given – Smerwes May 31 '22 at 00:47
  • In your case, what is the ACTUAL value of `getIPAddress()` ? – Ken Lee May 31 '22 at 00:50
  • That doesn't come from `var_dump`, it means you have an error in your SQL. See https://stackoverflow.com/questions/22662488/how-to-get-mysqli-error-in-different-environments for how to get the error message – Barmar May 31 '22 at 14:36

0 Answers0