Webmaster Forum - View Single Post - How to secure this PHP e-shop script ???

nster · 09-07-2007, 02:36 PM

Hello guys,
i need your help, especially i 'll appreciate it most from the many experience users that i see that exist over here !

I want to make a simple online-shop (eshop) using PHP & Mysql . After lot of time searching on the web, finally i found this very good tutorial => http://www.thewatchmakerproject.com/...-shopping-cart that makes it real

But, but.. i read the code and comments and finally use it in my local apache server and it worked allright ..BUT, when i when up to the browser 's toolbar and i tried to change this : http://localhost/cart/cart-demo/cart...ction=add&id=1

to this
http://localhost/cart/cart-demo/cart...tion=add&id=-1

it started to add values, books for the instace even that am giving a negative number..

the worst ?

when i tried to change this :
http://localhost/cart/cart-demo/cart...ction=add&id=1

with this one :
http://localhost/cart/cart-demo/cart.php?action=add&id='1
or with this one :
http://localhost/cart/cart-demo/cart.php?action=add&id='

the whole system of this e-shop script "collapsed" ..i mean it started to give me ERRORS and book added without i to choose them..

From my medium knowlege on these issues i understand, this is a security issue.. i cant imagine what can hapenned if i use it on my web site

as it is now..

My question is about to help,
help me please to firstly, understand the problem , secondly teach me how to fix it, so that i can learn the vunerabilities of this script and finally build up a secure as it is possibe e-shop with this script

I want to learn !
plz be kind

am waiting for your answers with huge interest !

Thanks in advance !

* ..you can download the code from the tutorial web site that provides this script the .zip file in the end of page so that you can test it your self and see what i mean !

09-07-2007, 02:36 PM	#1 (permalink)
nster Inactive Join Date: 11-06-06 Posts: 16 iTrader: 0 / 0% Latest Blog: None	How to secure this PHP e-shop script ??? Hello guys, i need your help, especially i 'll appreciate it most from the many experience users that i see that exist over here ! I want to make a simple online-shop (eshop) using PHP & Mysql . After lot of time searching on the web, finally i found this very good tutorial => http://www.thewatchmakerproject.com/...-shopping-cart that makes it real But, but.. i read the code and comments and finally use it in my local apache server and it worked allright ..BUT, when i when up to the browser 's toolbar and i tried to change this : http://localhost/cart/cart-demo/cart...ction=add&id=1 to this http://localhost/cart/cart-demo/cart...tion=add&id=-1 it started to add values, books for the instace even that am giving a negative number.. the worst ? when i tried to change this : http://localhost/cart/cart-demo/cart...ction=add&id=1 with this one : http://localhost/cart/cart-demo/cart.php?action=add&id='1 or with this one : http://localhost/cart/cart-demo/cart.php?action=add&id=' the whole system of this e-shop script "collapsed" ..i mean it started to give me ERRORS and book added without i to choose them.. From my medium knowlege on these issues i understand, this is a security issue.. i cant imagine what can hapenned if i use it on my web site as it is now.. My question is about to help, help me please to firstly, understand the problem , secondly teach me how to fix it, so that i can learn the vunerabilities of this script and finally build up a secure as it is possibe e-shop with this script I want to learn ! plz be kind am waiting for your answers with huge interest ! Thanks in advance ! * ..you can download the code from the tutorial web site that provides this script the .zip file in the end of page so that you can test it your self and see what i mean ! Last edited by nster : 09-07-2007 at 02:43 PM.