I build a system in php, i have page name x.php and in this page i create variable name $accountid and get the acocunt id from the sesstion.
now i have others varibles in php at the same page that calls to functions that in other page called functions.php, and deliver the accountid, the function return info about the account (for example the name of the user..)
is this security breach?
i mean the user can call in ajax to the function with other accountid and then he can get info about other account?
here is the code example:
<?php
include "Includs/Config.php";
if(!isset($_SESSION[get("session_name")])) {
header("Location: index.php");
}
$accountid = getAccountid($_SESSION[get("session_name")]);
$e = getECategorys($accountid);
?>
function getE($accountId){
$query = mysql_query("SELECT * FROM `x` WHERE `accountid` = $accountId");
while($result = mysql_fetch_assoc($query)){
// get the info about the account..
}
}