PHP URL hiding the id of the category

Question

I am having a doubt that my code "soon to be a website" is weak or easy to hack.

I have read about SQL injection and other security issues, I came to know that the URL should not be something like: "index.php?catid=id" it must be hidden or redirected or routed.

And this is what I am trying to avoid, however, I have tried session_start(); but ended up in a mess.

I might be wrong as well, there might be no danger at all when sending the user from a page to another using anchor click here

Kindly check the code below.

header.php

<div class="header">
<div class="logo">
    <a href="index.php"><img src="images/logo.jpg" alt="logo" /></a>
</div><!--logo ends-->
<div class="navigation">
    <?php

        $cat_sql = "SELECT * FROM category";
        $cat_query = $conn->query($cat_sql);
        while ($cat_results = $cat_query->fetch_array()){
        $category_page = "category.php?categoryID=" .$cat_results['categoryID'];
            //session_start();
            //echo session_id();
            echo "<a href='$category_page'>". $cat_results['name'] ." </a>";
        }
    CloseCon($conn)
    ?>
        <a href="admin.php">Admin</a>
</div><!--navigation ends-->
</div><!-- Header ends here-->

dbconnect.php

$servername = "localhost";
$username = "root";
$password = "123456789";
$database = "accessories";

$conn = new mysqli($servername, $username, $password, $database);

if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";a

function CloseCon($conn)
{$conn -> close();}

wait... why exactly is a `session_start()` and `session_id()` inside of a `while` ?? — Abela, Feb 17 '19 at 02:10
Are you worried that someone might simply 'know' that a category with ID x has a name of y? What exactly happens when you go to the category.php page? — RGriffiths, Feb 17 '19 at 02:24
no I am not worried, what I am worried about is **if** an ID is shown in the URL it might be open a security hole in the website? the category page will display such items, prices, pictures, etc.. nothing really important.. — Moosa, Feb 17 '19 at 02:26
Since you're concerned about id exposure, you should look into [CSRF](https://stackoverflow.com/q/6287903/1144627), which can be used to validate requests from forms and query strings. And using [prepared statements](https://secure.php.net/manual/en/mysqli.quickstart.prepared-statements.php) for database queries as well. However as it stands, the code in your question is not vulnerable as you are not processing `$_GET, $_POST, $_FILE, $_COOKIE, or $_SESSION`, so your question is overall just too broad to provide a an appropriate answer for. — Will B., Feb 17 '19 at 02:27
If nothing much happens other than displaying info then you are pretty safe. But if you were manipulating data/files etc on the basis of what was being sent you would be opening yourself up. — RGriffiths, Feb 17 '19 at 02:40

score 4 · Accepted Answer · answered Feb 17 '19 at 02:07

4

I'd worry less about IDs being public (that's really not uncommon... it's the norm), and more about how you're querying. Are you making use of MySQLi's support for parameterized queries? They are, single-handedly, the best way to secure your website against SQL Injection vulnerabilities. Anywhere you accept user input, and ship it in a query, ensure it's parameterized.

answered Feb 17 '19 at 02:07

Bob Hensley

459
4
11

so I am all safe when sending the user from a page to another, yeah? – Moosa Feb 17 '19 at 02:16
Again, I'd encourage you to make use of parameterized queries any time user input is required in a query. That includes using an ID set via $_GET. Never trust user input. – Bob Hensley Feb 17 '19 at 02:17

PHP URL hiding the id of the category

1 Answers1