I asked this question a while ago and I deleted that question because I though I found the appropriate method to solve my issue.
I'm making a website which works with lots of XMLHttpRequest. I need to send the user_id of the logged in client to a php file located elsewhere which will send sql statements to the database, and return the information according to the logged in client. I do not have any knowledge of security. I only have little knowledge of sql and php. So I want to make my website secure, so I need some advice on security and the appropriate way to send user_id via to the php file.
Or does it even matter if the user_id is being shown on the client side. And also I'm storing the unique user_id of the client in the $_SESSION only, nothing else.
I have made my login/sign-up system entirely using this source = https://www.youtube.com/watch?v=xb8aad4MRx8&t=674s
index.php:
<?php session_start();?><html lang="en"><head><meta charset="UTF-8"><title>TEST</title></head><body><?php if (isset($_SESSION['user_id'])) { echo ('<button>CLICK TO GET INFO IN CONSOLE</button>'); } else { header ("Location: login.php"); exit(); } ?><script> var user_id = <?php echo($_SESSION['user_id']);?>; document.querySelector("button").onclick = function() { var xhr = new XMLHttpRequest(); var url = "http://URL_OF_A_PHP_FILE_LOCATED_IN_A_DIFFERENT_LOCATION"; xhr.open("GET", url +"?user_id="+ user_id +"&var_1=val_1&var_2=val_2&var_3=val_3"); xhr.onload = function() { console.log(JSON.parse(xhr.responseText)); } xhr.send(null); }</script></body></html>