Modify your products table:
The prepare() method separates the SQL logic from the data. Even if the user sends 1; DROP TABLE , the database treats it as a string value for :id , not as SQL code. Step 2: Fix IDOR with Session-Based Authorization Do not trust the user to tell you which account or order to view. Instead, derive the ID from the session. php id 1 shopping
product.php?id=1 UNION SELECT username, password FROM admin_users Modify your products table: The prepare() method separates
If your database allows stacked queries, they could submit: product.php?id=1; DROP TABLE orders; -- Instead, derive the ID from the session
<?php // Assume $pdo is your database connection $id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT); if (!$id) { die('Invalid product ID'); } $stmt = $pdo->prepare("SELECT * FROM products WHERE id = :id"); $stmt->execute(['id' => $id]); $product = $stmt->fetch();