By providing a username and the password as ' or 1=1;-- you are able to gain access as any user that exists, and from that you can give yourself an account with any privileges you would like.
if($username && $password) {
$conn=mysql_connect(localhost,root,PASS) or die ("Whoops"); // Connect to the database, or if connection fails print error message.
$password = md5($password); // encode submited password with MD5 encryption and store it back in the same variable. If not on a windows box, I suggest you use crypt()
$sql = "select * from users where loginname='$username'"; // query statment that gets the username/password from 'login' where the username is the same as the one you submited
$r = mysql_db_query(DB,$sql); // Execute Query
// if no rows for that database come up, redirect.
if(!mysql_num_rows($r)){
mysql_close($conn);
header("Location: index.php"); // This is the redirection, notice it uses $SCRIPT_NAME which is a predefined variable with the name of the script in it.
}else{
$passed=@mysql_connect(HOST,USER,PASS);
}
mysql_select_db(DB);
if (!$passed || $fail) {
//echo 'Could not connect: ' . mysql_error();
echo "<center><font color=\"#FF0000\"><b>Invalid User Name or Password</b></font></center>";
$_SESSION["logged"]=0;
$_SESSION["userid"]="";
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
suguested solution: modify index.php as follows
$password2 = mysql_real_escape_string($password);
if($password2 != $password)
{
$fail = true;
}
if($username && $password) {
$conn=mysql_connect(localhost,root,PASS) or die ("Whoops"); // Connect to the database, or if connection fails print error message.
$password = md5($password); // encode submited password with MD5 encryption and store it back in the same variable. If not on a windows box, I suggest you use crypt()
$sql = "select * from users where loginname='$username'"; // query statment that gets the username/password from 'login' where the username is the same as the one you submited
$r = mysql_db_query(DB,$sql); // Execute Query
// if no rows for that database come up, redirect.
if(!mysql_num_rows($r)){
mysql_close($conn);
header("Location: index.php"); // This is the redirection, notice it uses $SCRIPT_NAME which is a predefined variable with the name of the script in it.
}else{
$passed=@mysql_connect(HOST,USER,PASS);
}
mysql_select_db(DB);
if (!$passed || $fail) {
//echo 'Could not connect: ' . mysql_error();
echo "<center><font color=\"#FF0000\"><b>Invalid User Name or Password</b></font></center>";
$_SESSION["logged"]=0;
$_SESSION["userid"]="";
Thanks billy,
Will be looking into your modification suggestion and implement the change