Leo smiled. He opened a new terminal and manually reduced the three rows to one. Then he added a note to the user's account: "Loyal customer. Approved for second pair on next restock. Also, nice race condition."
Instead, he clicked over to the user's profile. gh0st_walker had been a member for four years. Bought three pairs of boots, left glowing reviews each time. Their last order was a size 11—the same size in the ghost cart.
He closed the file. He'd fix add-cart.php tomorrow. add-cart.php num
Three separate line items for the same boot. Quantity: 1. Three times.
He checked gh0st_walker 's IP address. Traced it back to a residential block in Akron, Ohio. Not a botnet. Not a competitor. Someone sitting in a basement, probably using a simple bash script: Leo smiled
Three requests. Same session ID. Same product SKU: DRN-7X .
But for the last three nights, someone had been bending the rules. Approved for second pair on next restock
<?php // Legacy code. No locking. No transactions. $product_id = $_POST['product_id']; $user_id = $_SESSION['user_id']; $quantity = 1; // default // Check if item exists in cart $result = $db->query("SELECT * FROM cart WHERE user_id=$user_id AND product_id=$product_id"); if($result->num_rows == 0) { $db->query("INSERT INTO cart (user_id, product_id, quantity) VALUES ($user_id, $product_id, $quantity)"); } else { $db->query("UPDATE cart SET quantity = quantity + $quantity WHERE user_id=$user_id AND product_id=$product_id"); } ?>
He opened the source file: add-cart.php .
Leo clicked through to the checkout table. The order hadn't been placed yet. But the cart's total? $1,197.00. The user had effectively bypassed the "max 1 per customer" rule without triggering a single alarm. Not a hack. Not an SQL injection. Just the ugly poetry of concurrency.
The server logs didn't blink. They never did. But for Leo, the silent, green-on-black text of /var/log/nginx/access.log might as well have been a screaming headline.