// Bind Parameters (Prevents SQL Injection) $stmt->bindParam(':user_id', $user_id, PDO::PARAM_INT); $stmt->bindParam(':product_id', $product_id, PDO::PARAM_INT);
A secure URL should look like: POST /add-to-cart (not GET) with body product_id=123&quantity=1 . add-cart.php num
# Add 3 items of product ID 5 add-cart.php?id=5&num=3 1 UNION SELECT 1
The attacker uses Burp Suite to fuzz the num parameter with a payload list: 1 , 1.1 , -1 , 999999 , 1 UNION SELECT 1 , 1%00 . add-cart.php num