Security: No authentication, SQL injection, XSS, and CSRF vulnerabilities

[lighthousekeeper1212]

Summary

The application has no authentication layer — all inventory data is accessible to anyone. Combined with SQL injection via phpGrid and reflected XSS.

Key Findings (8 total, 5 CRITICAL + 3 HIGH)

1. No authentication — no session validation on any page (products, purchases, orders, reports, barcodes)
2. Reflected XSS — unescaped $_GET['currentPage'] in inc/menu.php
3. SQL injection — unparameterized queries via phpGrid C_DataGrid edit/filter handlers
4. IDOR — no ownership verification on any resource modification
5. No CSRF protection — all forms lack token validation
6. Hardcoded database credentials, debug error display, unvalidated barcode input

Fix

1. Add session-based authentication to all pages
2. Use htmlspecialchars() on all user input in HTML output
3. Use parameterized queries / prepared statements
4. Add CSRF token generation and validation