What is more effective to try to find ID or use JOIN

Question

I made this little function that finds user's ID and I have that ID available across website because I included it before <head>

$result=mysql_query("SELECT ID FROM korisnici WHERE username='".$_COOKIE["user"]."' AND password='".$_COOKIE["pass"]."'");
$get=mysql_fetch_assoc($result);
$ID_KORISNIK=$get["ID"];
if(empty($ID_KORISNIK))
{
    echo '
        <script>window.location="IDerror.php";</script>
        ';
}

So whan I want to SELECT or INSERT into database I could use

$r=mysql_query("SELECT * FROM uzg WHERE IDkorisnik='$ID_KORISNIK'");

or use JOIN

$r=mysql_query("SELECT * FROM uzg JOIN (uzg.IDkorisnik=korisnici.ID) WHERE korisnici.username='$_COOKIE["user"]' AND korisnici.password='$_COOKIE["pass"]'");

What do you think, which one is better or effective?

Answer 1

1. Don't store password as a cookie
2. Never trust user input, your queries are subject to SQL injection attacks
3. Don't use mysql_* functions, use PDO or mysqli_*, and use prepared statements to prevent SQL injection attacks

I would recommend to learn about prepared statements, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

By the way I think your first solution is better (but you have to correct a lot of stuff)

Answer 2

if it is large project i would much like to use a User class so i will simply call it by

$new_user->id;

but if not, your 1st approach is much better but you arent checking whether your input is a valid ID first, once you confirm it is a valid ID [may be an existing int] then use your 1st approach

and storing your users PWD even as hash is BAD, since hashes are easily crackable so if you want a verification against cookie stealing, put some other hash