Online Shopping Cart System 1.0 - 'id' SQL Injection - Exploit-DB
// INSECURE: Direct concatenation $id = $_GET['id']; $query = "SELECT * FROM products WHERE id = " . $id; $result = mysqli_query($conn, $query); Use code with caution. How Attackers Exploit It
$slug = $_GET['slug']; $stmt = $pdo->prepare("SELECT * FROM products WHERE slug = :slug");
to query and display the corresponding item’s name, price, and description. Superuser Access : In some systems,
order.php?id=123 (User changes to 124)
The prepare() method separates the SQL logic from the data. Even if the user sends 1; DROP TABLE , the database treats it as a string value for :id , not as SQL code.
When you click a product, the URL often looks like ://yoursite.com .
<form action="" method="post"> <input type="hidden" name="id" value="1"> <input type="submit" name="remove_from_cart" value="Remove from Cart"> </form>
: This is the value assigned to the parameter. It tells the script exactly which database record to fetch. php id 1 shopping
: Similar ID parameters are used to track shopping carts. A URL might pass a session ID ( basket.php?cart_id=8972 ) to ensure that the items you add to your cart remain tied to your specific browser session. The Security Risk: SQL Injection (SQLi)
<?php // Assume $pdo is your database connection $id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT); if (!$id) die('Invalid product ID');
You can configure your web server (using an .htaccess file in Apache or an nginx.conf file in Nginx) to automatically rewrite lookups. This turns ://example.com into ://example.com behind the scenes. 3. Enforce Strict Access Controls
An Insecure Direct Object Reference (IDOR) vulnerability arises when an application uses a direct reference to an internal object, like a database key, to grant a user access, but fails to verify if that user is actually authorized to access it. Online Shopping Cart System 1
Never concatenate URL parameters directly into database queries. Use PHP Data Objects (PDO) or MySQLi with prepared statements and parameterized queries. This ensures the database treats the id=1 strictly as an integer or string, rendering SQL injection impossible.
In a shopping context, product.php?id=1 tells the website to go into its database, find the item assigned to ID #1, and display its name, price, and image on the screen. How Dynamic Shopping Carts Work
Always use mysqli_real_escape_string or prepared statements when interacting with $_GET or $_POST data to prevent SQL injection.
Modern internet users prefer clean, descriptive URLs. A link like ://example.com tells a user exactly what to expect. A link like ://example.com is cryptic and fails to build trust in search engine results pages (SERPs). Lack of Keyword Relevance Superuser Access : In some systems, order