is this one vulnerable ?

[mahenda]

//link to the product
<a href="<?php echo 'product.php?product_id='. $row['product_id'];?>"style="text-decortion:none;">

//on the product page, the url look like this 
localhost/maembe/product.php?product_id=2
  
what will happen when attacker see this id and how to change it 

 

[gw1500se]

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

[chhorn]

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error. didn't you even try this yourself?

Edited September 6, 2019 by chhorn

[mahenda]

 

13 minutes ago, gw1500se said:

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

when user click the link with product picture, the link will open new page called product.php with product full detail from database

in the product page the query accepted with get method

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

[chhorn]

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

[mahenda]

1 minute ago, chhorn said:

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error.

i shortened the code assume all variable are available

[gw1500se]

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

Edited September 6, 2019 by gw1500se

[mahenda]

1 minute ago, chhorn said:

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

[mahenda]

4 minutes ago, gw1500se said:

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

every user can see, even if he/she did not logged in

[mahenda]

3 minutes ago, mahenda said:

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

is this correct

[gw1500se]

Yep.

[ginerjm]

Spelling error here....

style="text-decortion:none;"

[Barand]

56 minutes ago, gw1500se said:

Yep

Not if $product_details is still as posted earlier IE

1 hour ago, mahenda said:

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

You need

$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

[gw1500se]

I didn't think there was a difference between the 2. In any case one should always validate the data before using it.

[Barand]

5 minutes ago, gw1500se said:

I didn't think there was a difference between the 2

The principle behind prepared statements is the separation of user-provided data from the query SQL code. This is accomplished by putting placeholders in the query and then binding parameters to those placeholders when executing

[gw1500se]

Not to hijack this thread, but isn't the preparation process the same in either case?

[Barand]

Not even close. This code...

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];    
$prepare = $connect->prepare($product_details);
$prepare->execute();

...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would)

In the correct version the injection code would only be treated as data and not part of the SQL code.

[gw1500se]

Thanks. Learned something new. So in my case the prepare is really useless.

[mahenda]

On 9/6/2019 at 5:15 PM, ginerjm said:

Spelling error here....

style="text-decortion:none;"

style="text-decoration:none;"

[mahenda]

On 9/6/2019 at 5:44 PM, Barand said:

Not if $product_details is still as posted earlier IE

You need

$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

thank you so much but why no bindParam()

[Barand]

1 minute ago, mahenda said:

but why no bindParam()

Because I preferred to pass the parameters in an array when executing instead.

[mahenda]

8 minutes ago, Barand said:

Because I preferred to pass the parameters in an array when executing instead.

okey thanks

[mahenda]

11 minutes ago, Barand said:

Because I preferred to pass the parameters in an array when executing instead.

let me return back again

is saw something like 

localhost/maembe/product.php?product_id/2

or this

localhost/maembe/product.php?product/hot-coffee-found-here

when i click on the home link

but i have no idea on how to do that my own is

localhost/maembe/product.php?product_title = hot-coffee-found-here

i dont want that '=' sign if i'll use preg_replace() will be collect isn't it or anyway ?

[Barand]

55 minutes ago, Barand said:

Because I preferred to pass the parameters in an array when executing instead.

Binding is useful when you want to process records in a loop. Bind the variables first then, in the loop, update the values and execute. EG

$data = [    [ 1, 'Curly'],
             [ 2, 'Larry'],  
             [ 3, 'Mo']  
        ];
      
$stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (:id, :user)");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':user', $username, PDO::PARAM_STR);

foreach ($data as $user) {
    list($id, $username) = $user;
    $stmt->execute();
}

EDIT:

But, with PDO, there is the alternative that I used before EG

$data = [    [ 1, 'Curly'],
             [ 2, 'Larry'],  
             [ 3, 'Mo']  
        ];
      
$stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (?, ?)");

foreach ($data as $user) {
    $stmt->execute($user);
}

where the values are passed as an array when executing.

Edited September 27, 2019 by Barand