Add-cart.php - Num

The server logs didn't blink. They never did. But for Leo, the silent, green-on-black text of /var/log/nginx/access.log might as well have been a screaming headline.

Three requests. Same session ID. Same product SKU: DRN-7X .

– 11:34:02.447 POST /add-cart.php HTTP/1.1 – 11:34:02.451 POST /add-cart.php HTTP/1.1 – 11:34:02.453

<?php // Legacy code. No locking. No transactions. $product_id = $_POST['product_id']; $user_id = $_SESSION['user_id']; $quantity = 1; // default // Check if item exists in cart $result = $db->query("SELECT * FROM cart WHERE user_id=$user_id AND product_id=$product_id"); if($result->num_rows == 0) { $db->query("INSERT INTO cart (user_id, product_id, quantity) VALUES ($user_id, $product_id, $quantity)"); } else { $db->query("UPDATE cart SET quantity = quantity + $quantity WHERE user_id=$user_id AND product_id=$product_id"); } ?> add-cart.php num

He closed the file. He'd fix add-cart.php tomorrow.

Three separate line items for the same boot. Quantity: 1. Three times.

Leo smiled. He opened a new terminal and manually reduced the three rows to one. Then he added a note to the user's account: "Loyal customer. Approved for second pair on next restock. Also, nice race condition." The server logs didn't blink

Tonight, he'd let the ghost walker win. The next morning, a new commit appeared on the main branch: fix: add unique constraint and row-level locking to add-cart.php (thanks gh0st_walk3r for the pentest)

Leo swore under his breath. No BEGIN TRANSACTION . No FOR UPDATE . Just two naïve queries and a prayer. The three simultaneous POSTs had each run the SELECT , seen an empty cart, and each fired an INSERT . Three rows. Same product.

But for the last three nights, someone had been bending the rules. Three requests

He opened the source file: add-cart.php .

Leo leaned back in his creaking office chair, the glow of three monitors painting his tired face in pale blue light. He was the senior backend engineer for Velvet & Sole , a boutique online shoe retailer that had, against all odds, become a cult hit. Their signature "Dragonhide 7X" boot sold out in eleven minutes every restock.

He checked gh0st_walker 's IP address. Traced it back to a residential block in Akron, Ohio. Not a botnet. Not a competitor. Someone sitting in a basement, probably using a simple bash script:

for i in {1..3}; do curl -X POST https://velvetandsole.com/add-cart.php \ -d "product_id=DRN-7X&user_id=4421" & done Leo's fingers hovered over the keyboard. He could patch it. Add a unique key on (user_id, product_id) . Wrap the whole thing in a database transaction with SELECT ... FOR UPDATE . Deploy a rate limiter. He'd have it fixed by morning coffee.

But he didn't type a single line.