mahenda 0 Posted September 6 //link to the product <a href="<?php echo 'product.php?product_id='. $row['product_id'];?>"style="text-decortion:none;"> //on the product page, the url look like this localhost/maembe/product.php?product_id=2 what will happen when attacker see this id and how to change it Quote Share this post Link to post Share on other sites
gw1500se 18 Posted September 6 Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'. Quote Share this post Link to post Share on other sites
chhorn 7 Posted September 6 (edited) Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error. didn't you even try this yourself? Edited September 6 by chhorn Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 6 13 minutes ago, gw1500se said: Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'. when user click the link with product picture, the link will open new page called product.php with product full detail from database in the product page the query accepted with get method $product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id']; Quote Share this post Link to post Share on other sites
chhorn 7 Posted September 6 Oh yeah, your database will be deleted then. Hint: Use Prepared Statements. Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 6 1 minute ago, chhorn said: Nothing will happen as you do not use any variable - except for $row what will raise an undefined variable/undefined index error. i shortened the code assume all variable are available Quote Share this post Link to post Share on other sites
gw1500se 18 Posted September 6 (edited) Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user. Edited September 6 by gw1500se Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 6 1 minute ago, chhorn said: Oh yeah, your database will be deleted then. Hint: Use Prepared Statements. $prepare = $connect->prepare($product_details); $prepare->execute(); $row = $prepare->fetch(); Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 6 4 minutes ago, gw1500se said: Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user. every user can see, even if he/she did not logged in Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 6 3 minutes ago, mahenda said: $prepare = $connect->prepare($product_details); $prepare->execute(); $row = $prepare->fetch(); is this correct Quote Share this post Link to post Share on other sites
ginerjm 233 Posted September 6 Spelling error here.... style="text-decortion:none;" Quote Share this post Link to post Share on other sites
Barand 1,392 Posted September 6 56 minutes ago, gw1500se said: Yep Not if $product_details is still as posted earlier IE 1 hour ago, mahenda said: $product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id']; You need $product_details = "SELECT * FROM product WHERE product_id = ?"; $prepare = $connect->prepare($product_details); $prepare->execute( [ $_GET['product_id'] ] ); Quote Share this post Link to post Share on other sites
gw1500se 18 Posted September 6 I didn't think there was a difference between the 2. In any case one should always validate the data before using it. Quote Share this post Link to post Share on other sites
Barand 1,392 Posted September 6 5 minutes ago, gw1500se said: I didn't think there was a difference between the 2 The principle behind prepared statements is the separation of user-provided data from the query SQL code. This is accomplished by putting placeholders in the query and then binding parameters to those placeholders when executing Quote Share this post Link to post Share on other sites
gw1500se 18 Posted September 6 Not to hijack this thread, but isn't the preparation process the same in either case? Quote Share this post Link to post Share on other sites
Barand 1,392 Posted September 6 Not even close. This code... $product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id']; $prepare = $connect->prepare($product_details); $prepare->execute(); ...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would) In the correct version the injection code would only be treated as data and not part of the SQL code. 1 1 Quote Share this post Link to post Share on other sites
gw1500se 18 Posted September 6 Thanks. Learned something new. So in my case the prepare is really useless. Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 27 On 9/6/2019 at 5:15 PM, ginerjm said: Spelling error here.... style="text-decortion:none;" style="text-decoration:none;" Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 27 On 9/6/2019 at 5:44 PM, Barand said: Not if $product_details is still as posted earlier IE You need $product_details = "SELECT * FROM product WHERE product_id = ?"; $prepare = $connect->prepare($product_details); $prepare->execute( [ $_GET['product_id'] ] ); thank you so much but why no bindParam() Quote Share this post Link to post Share on other sites
Barand 1,392 Posted September 27 1 minute ago, mahenda said: but why no bindParam() Because I preferred to pass the parameters in an array when executing instead. Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 27 8 minutes ago, Barand said: Because I preferred to pass the parameters in an array when executing instead. okey thanks Quote Share this post Link to post Share on other sites
mahenda 0 Posted September 27 11 minutes ago, Barand said: Because I preferred to pass the parameters in an array when executing instead. let me return back again is saw something like localhost/maembe/product.php?product_id/2 or this localhost/maembe/product.php?product/hot-coffee-found-here when i click on the home link but i have no idea on how to do that my own is localhost/maembe/product.php?product_title = hot-coffee-found-here i dont want that '=' sign if i'll use preg_replace() will be collect isn't it or anyway ? Quote Share this post Link to post Share on other sites
Barand 1,392 Posted September 27 (edited) 55 minutes ago, Barand said: Because I preferred to pass the parameters in an array when executing instead. Binding is useful when you want to process records in a loop. Bind the variables first then, in the loop, update the values and execute. EG $data = [ [ 1, 'Curly'], [ 2, 'Larry'], [ 3, 'Mo'] ]; $stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (:id, :user)"); $stmt->bindParam(':id', $id, PDO::PARAM_INT); $stmt->bindParam(':user', $username, PDO::PARAM_STR); foreach ($data as $user) { list($id, $username) = $user; $stmt->execute(); } EDIT: But, with PDO, there is the alternative that I used before EG $data = [ [ 1, 'Curly'], [ 2, 'Larry'], [ 3, 'Mo'] ]; $stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (?, ?)"); foreach ($data as $user) { $stmt->execute($user); } where the values are passed as an array when executing. Edited September 27 by Barand 1 Quote Share this post Link to post Share on other sites