#3 SQL injection bug

The bug is in user/login.php

$quer= odbc_exec($con, "SELECT name, pass FROM $users where (name LIKE '$name' and pass LIKE '$cryptpass')"); //DIDN'T SANATIZE THE INPUT!!
if(odbc_fetch_row($quer) != 0) {

The input is not sanitized! An attacker can put in an SQL injection and obtain privileged access. By only checking to see if the result is not null, that gives the attacker the ability to exploit that vulnerability.

If a user were to use this username and password:

Username: SOME_VALID_USERNAME' OR 1=1) --
Password: anything

I would get access without knowing the password.

I have written a patch. It is attached.

essentially add the line $name = mysql_real_escape_string($name);

[Anonymous]

patched user\login.php