We have a php page which is the admin section of the website. It is used to perform some update actions on the database. The code looks like follows
session_start();
if (!isset($_SESSION['somevariable']) )
{
header("Location:loginpage.php");
}
$id=$_GET['somevariable];
$sql = "UPDATE sometable SET somecolumn='' where someothercolumn=?";
$stmt = $con->prepare($sql);
$stmt->bind_param('s',$id);
$stmt->execute();
What we have noticed is there has been some vulnerability and this piece of code seems to be running from an unknown source at a periodic interval(5 seconds), which doesnt seem like someone has the password for the admin section and is running the actions manually.
We would like to know can a hacker bypass this login check and execute the rest of the code without having the password? Any insights into the vulnerability in the above piece of code will be helpful. Thanks in advance