Jump to content

is this one vulnerable ?


mahenda

Recommended Posts

//link to the product
<a href="<?php echo 'product.php?product_id='. $row['product_id'];?>"style="text-decortion:none;">

//on the product page, the url look like this 
localhost/maembe/product.php?product_id=2
  
what will happen when attacker see this id and how to change it 

 

Link to comment
Share on other sites

 

13 minutes ago, gw1500se said:

Exactly what are you trying to protect? The answer depends on what 'product.php' does with 'product_id'.

when user click the link with product picture, the link will open new page called product.php with product full detail from database

in the product page the query accepted with get method

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

Link to comment
Share on other sites

4 minutes ago, gw1500se said:

Are you using prepared statements? If so it is not a problem unless you don't want unauthorized users to see product details. In that case you would need to authenticate each user.

every user can see, even if he/she did not logged in

Link to comment
Share on other sites

56 minutes ago, gw1500se said:

Yep

Not if $product_details is still as posted earlier IE

1 hour ago, mahenda said:

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];

You need

$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

Link to comment
Share on other sites

5 minutes ago, gw1500se said:

I didn't think there was a difference between the 2

The principle behind prepared statements is the separation of user-provided data from the query SQL code. This is accomplished by putting placeholders in the query and then binding parameters to those placeholders when executing

Link to comment
Share on other sites

Not even close. This code...

$product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id'];    
$prepare = $connect->prepare($product_details);
$prepare->execute();

...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would)

In the correct version the injection code would only be treated as data and not part of the SQL code.

  • Like 1
  • Great Answer 1
Link to comment
Share on other sites

  • 3 weeks later...
On 9/6/2019 at 5:44 PM, Barand said:

Not if $product_details is still as posted earlier IE

You need


$product_details = "SELECT * FROM product WHERE product_id = ?";
$prepare = $connect->prepare($product_details);
$prepare->execute( [ $_GET['product_id'] ] );

 

thank you so much but why no bindParam()

Link to comment
Share on other sites

11 minutes ago, Barand said:

Because I preferred to pass the parameters in an array when executing instead.

let me return back again

is saw something like 

localhost/maembe/product.php?product_id/2

or this

localhost/maembe/product.php?product/hot-coffee-found-here

when i click on the home link

but i have no idea on how to do that my own is

localhost/maembe/product.php?product_title = hot-coffee-found-here

i dont want that '=' sign if i'll use preg_replace() will be collect isn't it or anyway ?

Link to comment
Share on other sites

55 minutes ago, Barand said:

Because I preferred to pass the parameters in an array when executing instead.

Binding is useful when you want to process records in a loop. Bind the variables first then, in the loop, update the values and execute. EG

$data = [    [ 1, 'Curly'],
             [ 2, 'Larry'],  
             [ 3, 'Mo']  
        ];
      
$stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (:id, :user)");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':user', $username, PDO::PARAM_STR);

foreach ($data as $user) {
    list($id, $username) = $user;
    $stmt->execute();
}

EDIT:

But, with PDO, there is the alternative that I used before EG

$data = [    [ 1, 'Curly'],
             [ 2, 'Larry'],  
             [ 3, 'Mo']  
        ];
      
$stmt = $db->prepare("INSERT INTO testuser (id, username) VALUES (?, ?)");

foreach ($data as $user) {
    $stmt->execute($user);
}

where the values are passed as an array when executing.

Edited by Barand
  • Thanks 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.