I'm working with a website which currently stores product ID lists in a string within the URL.
Looks like this: localhost/product-list?compare=7011,7012,7013
This list gets split up using explode() and count()ed to show the amount of products on the page.
Should I be worried about people inserting their own values in the URL, is there any risk of code injection using explode() and count()?
Well, it really depends upon how they are being used inside your code. For example, if you are querying these IDs in your database. It should be fine if you are using parameterized queries to achieve this. However, in order to make sure that weird inputs don't roam around in your code, you could validate using a simple preg_match for digits(IDs) and commas.
<?php
$compare = '7011,7012,7013';// or from $_GET
var_dump(preg_match('/^(\d+,?)+$/',$compare));
Demo: https://3v4l.org/WjeDe