I want to know if my web application runs some risk , since I am making all the "permission" verifications depend on the value of its $_SESSION[];
In my case, I use: $_SESSION['username'] , which contains the username of the person, and if for example, will edit or delete something, I verify that it is from him by comparison of this value in the session and in the database.
Is it well done? An example of a case where I use this to verify if it can be edited or not, where $user is $_SESSION['username'] and $urlID is a $ _ GET that contains the unique ID strong> of the object to be edited, which is fully validated against injections.
$reg = mysqli_query($conn,
"SELECT urlID, user FROM draws WHERE 'urlID'='$urlID' AND 'user'='$user'")
If you return any results to me (urlID is a unique value that represents the object to be edited), the editing page loads, if not, no.