if($_SESSION['user_id'] == 1) { // Grant admin access to delete products, view all orders } This is a critical vulnerability. An attacker who forces their session ID or registers a new account might manipulate the system to become user_id = 1 .
// .htaccess rewrites product.php?slug=blue-cotton-tshirt to /product/blue-cotton-tshirt $slug = $_GET['slug']; $query = "SELECT * FROM products WHERE slug = ?"; Now, id=1 is irrelevant to the outside world. It still exists in the database for joins, but it is never exposed in the HTML or URL. In many standard PHP shopping cart scripts, the first user to register (usually the store owner) gets user_id = 1 . This user has administrative privileges. php id 1 shopping
https://yourstore.com/product.php?id=1
ALTER TABLE products ADD COLUMN uuid CHAR(36) NOT NULL; -- Example UUID: 550e8400-e29b-41d4-a716-446655440000 Your URL becomes: product.php?uuid=550e8400-e29b-41d4-a716-446655440000 if($_SESSION['user_id'] == 1) { // Grant admin access