SiteLock SQL injection & XSS scan failed

0 投票
最新提问 用户: (140 分)

Hi I purchasing SiteLock and their said my site SQL injection & XSS scan failed

SQLInjection: URL: Description:Injection point: GET; Injection parameter: id; Injection type: numeric

XSS scan: URL: Description:id

I do not know how to collect it, could some one can help me out?

below is my php function pull out data from database.

function get_products_in_cat_page(){

$query = query(" SELECT * FROM products WHERE product_category_id = " . escape_string($_GET['id']) . "  ");

if(mysqli_num_rows($query) == 0) {

set_message("Will update soon the new products");

} else {

while($row = fetch_array($query)) {

$product_image = display_image($row['product_s_image1']);
$product_image2 = display_image($row['product_s_image2']);
if ($row['product_quantity'] < 1) {
    $outofstock = "<div class='sale-flash out-of-stock'>Out of Stock</div>";
} else {
    $outofstock = "";

$product = <<<DELIMETER

<div class="product clearfix" style="padding:8px;">
    <div class="product-image">
        <a href="product.php?id={$row['product_id']}"><img src="images/{$product_image}" alt="{$row['product_title']}" class="selected"></a>
        <a href="product.php?id={$row['product_id']}"><img src="images/{$product_image2}" alt="{$row['product_title']}"></a>
        <div class="product-overlay">
            <a href="include/ajax/quick_view.php?id={$row['product_id']}" class="add-to-cart" data-lightbox="ajax"><i class="icon-shopping-cart"></i><span>Quick View</span></a>
            <a href="product.php?id={$row['product_id']}" class="item-view"><i class="icon-zoom-in2"></i><span> More info.</span></a>
    <div class="product-desc center">
        <a href="product.php?id={$row['product_id']}">
        <div class="product-title"><h3 style="font-size:15px;">{$row['product_title']}</h3></div>
        <div class="product-price">&#36;{$row['product_price']}</div>
        <div class="product-rating">



echo $product;



登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。