I am having a doubt that my code "soon to be a website" is weak or easy to hack.
I have read about SQL injection and other security issues, I came to know that the URL should not be something like: "index.php?catid=id" it must be hidden or redirected or routed.
And this is what I am trying to avoid, however, I have tried session_start(); but ended up in a mess.
I might be wrong as well, there might be no danger at all when sending the user from a page to another using anchor click here
Kindly check the code below.
header.php
<div class="header">
<div class="logo">
<a href="index.php"><img src="images/logo.jpg" alt="logo" /></a>
</div><!--logo ends-->
<div class="navigation">
<?php
$cat_sql = "SELECT * FROM category";
$cat_query = $conn->query($cat_sql);
while ($cat_results = $cat_query->fetch_array()){
$category_page = "category.php?categoryID=" .$cat_results['categoryID'];
//session_start();
//echo session_id();
echo "<a href='$category_page'>". $cat_results['name'] ." </a>";
}
CloseCon($conn)
?>
<a href="admin.php">Admin</a>
</div><!--navigation ends-->
</div><!-- Header ends here-->
dbconnect.php
$servername = "localhost";
$username = "root";
$password = "123456789";
$database = "accessories";
$conn = new mysqli($servername, $username, $password, $database);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";a
function CloseCon($conn)
{$conn -> close();}
I'd worry less about IDs being public (that's really not uncommon... it's the norm), and more about how you're querying. Are you making use of MySQLi's support for parameterized queries? They are, single-handedly, the best way to secure your website against SQL Injection vulnerabilities. Anywhere you accept user input, and ship it in a query, ensure it's parameterized.