A typical PHP script ( product.php ) looks like this:
<?php session_start(); $user_id = $_SESSION['user_id']; // Comes from login, not from URL $stmt = $pdo->prepare("SELECT * FROM orders WHERE user_id = :user_id"); $stmt->execute(['user_id' => $user_id]); $orders = $stmt->fetchAll(); ?> php id 1 shopping
<?php $id = $_GET['id']; // Gets "1" from the URL $query = "SELECT * FROM products WHERE id = $id"; $result = mysqli_query($connection, $query); $product = mysqli_fetch_assoc($result); ?> <h1><?php echo $product['name']; ?></h1> <p>Price: $<?php echo $product['price']; ?></p> This code works perfectly on a developer's local machine. However, when deployed to the live web, becomes a nightmare for three specific reasons. The 3 Catastrophic Risks of Using "?id=1" 1. SQL Injection (The #1 Killer) Because the code above directly injects the $_GET['id'] into the SQL query, a hacker does not have to send ?id=1 . They can send: A typical PHP script ( product
Imagine the URL: account.php?id=1 (Viewing user #1’s orders) account.php?id=2 (Viewing user #2’s orders) SQL Injection (The #1 Killer) Because the code
If you absolutely must pass an ID (e.g., for a shared shopping cart), use a random or hashed value, not an integer. Step 3: Replace Numeric IDs with UUIDs or Hashed Slugs To stop competitors from scraping your catalog and to obscure record counts, stop using id=1 . Instead, use one of these methods: