is this one vulnerable ?

[mahenda 0]

//link to the product
<a href="<?php echo 'product.php?product_id='. $row['product_id'];?>"style="text-decortion:none;">

//on the product page, the url look like this 
localhost/maembe/product.php?product_id=2
  
what will happen when attacker see this id and how to change it 

 

[gw1500se 14]

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

[chhorn 6]

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error. didn't you even try this yourself?

Edited September 6 by chhorn

[mahenda 0]

 

13 minutes ago, gw1500se said:

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

when user click the link with product picture, the link will open new page called product.php with product full detail from database

in the product page the query accepted with get method

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

[chhorn 6]

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

[mahenda 0]

1 minute ago, chhorn said:

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error.

i shortened the code assume all variable are available

[gw1500se 14]

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

Edited September 6 by gw1500se

[mahenda 0]

1 minute ago, chhorn said:

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

[mahenda 0]

4 minutes ago, gw1500se said:

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

every user can see, even if he/she did not logged in

[mahenda 0]

3 minutes ago, mahenda said:

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

is this correct

[gw1500se 14]

Yep.

[ginerjm 233]

Spelling error here....

style="text-decortion:none;"

[Barand 1,350]

56 minutes ago, gw1500se said:

Yep

Not if $product_details is still as posted earlier IE

1 hour ago, mahenda said:

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

You need

$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

[gw1500se 14]

I didn't think there was a difference between the 2. In any case one should always validate the data before using it.

[Barand 1,350]

5 minutes ago, gw1500se said:

I didn't think there was a difference between the 2

The principle behind prepared statements is the separation of user-provided data from the query SQL code. This is accomplished by putting placeholders in the query and then binding parameters to those placeholders when executing

[gw1500se 14]

Not to hijack this thread, but isn't the preparation process the same in either case?

[Barand 1,350]

Not even close. This code...

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];    
$prepare = $connect->prepare($product_details);
$prepare->execute();

...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would)

In the correct version the injection code would only be treated as data and not part of the SQL code.

[gw1500se 14]

Thanks. Learned something new. So in my case the prepare is really useless.