Before diving into exploits, let’s look at a typical HTTP request:
POST /add-cart.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=abc123
product_id=456&num=3&option=size_l
Or, via GET method (less secure, but common):
/add-cart.php?product=456&num=3
The num parameter (often named qty, quantity, or count) tells the backend how many units of a product to place into the session array. add-cart.php num
add-cart.php?num=5
add-cart.php?num=PROD123:2
Implement hard limits server-side:
By sending a single request with an absurdly high num value, or by sending thousands of sequential requests via a simple script, an attacker can flood the cart session. Before diving into exploits, let’s look at a
Prevents session fixation when adding items to cart.
Since you are modifying state (the cart), every request must include a unique token. Or, via GET method (less secure, but common): /add-cart
// In the form that calls add-cart $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); echo '<input type="hidden" name="csrf_token" value="'.$_SESSION['csrf_token'].'">';
// In add-cart.php if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) die('CSRF attack detected');