I have a login page that when a user logs in, it starts a session using the id for that user which has been fetched from a mySQL database.
$_SESSION['logged_in'] = $db_id;
On the user's profile page there is the option to update their personal info. The href for this page uses a GET parameter of the username which is passed into the url
A database fetch is then done on the profile-edit page to make sure that the GET url parameter username returns the user id of the person with that username.
isset($_GET['username']) ? $username = $_GET['username'] : header("Location: index.php");
$stmt = $connection->prepare("SELECT * FROM users WHERE username=:username");
$stmt->execute([
':username' => $username
]);
if ($stmt->rowCount() !== 0 ) {
$row = $stmt->fetch();
} else {
header("Location: index.php");
}
$db_id = htmlspecialchars($row['id']);
A check is then made to ensure that the $_SESSION value matches the $db_id value. This is done to prevent someone typing in a different username into the url so they can change that person's details.
// EXIT IF NOT LOGGED IN USER
if ($db_id != $_SESSION['logged_in'] ) { header("Location: index.php"); exit; }
The final part of the above code works, but when I do !== for 'identical to' instead of != for equal to, the code fails?
I've checked both values using gettype() with the following:
echo gettype($_SESSION['logged_in']);
echo gettype($db_id);
Both are returned as 'integer'.
Why does the check fail with !== but not with != when they are the same numeric value, and both values are showing as the integer data type?
