#7 MySQL INJECTION ATTACK

THE BUG WAS FOUND IN: login.php

If ($strError == "") {
$strPassword = md5($strPassword);
$strSQL = "SELECT id, securityLevel FROM tblSecurity WHERE userID='$strUserName' AND password='$strPassword'";
$result = dbquery($strSQL);
$row = mysql_fetch_row($result);
If ($row[0] != "")

The sql input is not sanitized!

THE PROBLEM WITH THE CODE ABOVE IS THAT I CAN INPUT AN SQL INJECTION FOR
THE USERNAME,
AND SINCE YOUR CODE DOES NOT CHECK IF THE USERNAME AND PASSWORD HAVE BEEN
TAMPERED WITH,
MY INJECTION WILL WORK.

If a user were to use this username and password:

Username: SOME_VALID_USERNAME' OR '1'='1 --
Password: anything

They would get access without knowing the password.

I have written a patch. It is attached.

essentially add the line: $strUserName = mysql_real_escape_string($strUserName);

[Anonymous]

Login.php PATCH