Jump to content
mahenda

is this one vulnerable ?

Recommended Posts

//link to the product
<a href="<?php echo 'product.php?product_id='. $row['product_id'];?>"style="text-decortion:none;">

//on the product page, the url look like this 
localhost/maembe/product.php?product_id=2
  
what will happen when attacker see this id and how to change it 

 

Share this post


Link to post
Share on other sites

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

Share this post


Link to post
Share on other sites

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error. didn't you even try this yourself?

Edited by chhorn

Share this post


Link to post
Share on other sites

 

13 minutes ago, gw1500se said:

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

when user click the link with product picture, the link will open new page called product.php with product full detail from database

in the product page the query accepted with get method

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

Share this post


Link to post
Share on other sites

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

Share this post


Link to post
Share on other sites
1 minute ago, chhorn said:

Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error.

i shortened the code assume all variable are available

Share this post


Link to post
Share on other sites

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

Edited by gw1500se

Share this post


Link to post
Share on other sites
1 minute ago, chhorn said:

Oh yeah, your database will be deleted then.

 

Hint: Use Prepared Statements.

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

Share this post


Link to post
Share on other sites
4 minutes ago, gw1500se said:

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

every user can see, even if he/she did not logged in

Share this post


Link to post
Share on other sites
3 minutes ago, mahenda said:

$prepare = $connect->prepare($product_details);
$prepare->execute();
$row = $prepare->fetch();

is this correct

Share this post


Link to post
Share on other sites

Spelling error here....

style="text-decortion:none;"

Share this post


Link to post
Share on other sites
56 minutes ago, gw1500se said:

Yep

Not if $product_details is still as posted earlier IE

1 hour ago, mahenda said:

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

You need

$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

Share this post


Link to post
Share on other sites

I didn't think there was a difference between the 2. In any case one should always validate the data before using it.

Share this post


Link to post
Share on other sites
5 minutes ago, gw1500se said:

I didn't think there was a difference between the 2

The principle behind prepared statements is the separation of user-provided data from the query SQL code. This is accomplished by putting placeholders in the query and then binding parameters to those placeholders when executing

Share this post


Link to post
Share on other sites

Not to hijack this thread, but isn't the preparation process the same in either case?

Share this post


Link to post
Share on other sites

Not even close. This code...

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];    
$prepare = $connect->prepare($product_details);
$prepare->execute();

...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would)

In the correct version the injection code would only be treated as data and not part of the SQL code.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks. Learned something new. So in my case the prepare is really useless.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.