$product_id = $_GET['id']; $query = "SELECT * FROM products WHERE id = $product_id";
Let's break it down:
Here is what that URL tells a hacker:
Hide the technical details of your URL structure. Instead of index.php?id=1 , use .htaccess (Apache) or Nginx config to display: http://example.com/shop/product/1 This doesn't stop SQL injection alone (security through obscurity is not enough), but it makes the site harder to profile for automated bots and looks more professional.
A hacker changes the URL to: index.php?id=1 UNION SELECT username, password FROM users inurl index php id 1 shop
NAME: Tuesday, November 14th, 1995. PRICE: One Regret. DESCRIPTION: The day you didn't say goodbye. Do you want it back?
Within minutes, Alex extracted admin credentials and user emails. The shop’s database was wide open because the developer trusted user input blindly. $product_id = $_GET['id']; $query = "SELECT * FROM
Historically, these types of URLs were the primary targets for SQL Injection (SQLi) . If a site didn't "sanitize" that input, a hacker could replace