This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Fix really simple injection that enabled one to login. Oops.

  • Loading branch information...
aquatix committed Apr 1, 2014
1 parent b970319 commit 348c185f40fac8988ffd5b9b20fc1106766bbe68
Showing with 9 additions and 4 deletions.
  1. +5 −0 modules/blog_methods.php
  2. +4 −4 root.php
View
@@ -37,6 +37,11 @@
*/
function login( $skel, $user, $pass )
{
/* Lets first escape this to prevent injection
* @TODO: use mysqli or PDO prepared statements instead */
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
/* verify user/pass combo with db */
$query = 'SELECT smplog_user.pass, smplog_user.id FROM smplog_user WHERE smplog_user.username="' . $user . '";';
$result = mysql_query( $query, $skel['dbLink'] );
View
@@ -26,8 +26,8 @@
/* Enable error reporting */
//error_reporting( E_ERROR | E_WARNING | E_PARSE | E_NOTICE );
$skel['lastmodified'] = '2013-03-31';
$skel['page_version'] = '0.8.01';
$skel['lastmodified'] = '2014-04-01';
$skel['page_version'] = '0.8.02';
$skel['dateofcreation'] = '2003-12-22';
$section_name = 'root';
@@ -515,9 +515,9 @@
//$page_body .= "Pass<br/><input type=\"password\" name=\"pass\" size=\"16\" maxlength=\"16\" /><br/>\n";
//$page_body .= "<br/>\n";
$page_body .= "<h3>User</h3>\n";
$page_body .= "<p><input type=\"text\" name=\"user\" size=\"16\" maxlength=\"16\" /></p>\n";
$page_body .= "<p><input type=\"text\" name=\"user\" size=\"16\" /></p>\n";
$page_body .= "<h3>Pass</h3>\n";
$page_body .= "<p><input type=\"password\" name=\"pass\" size=\"16\" maxlength=\"16\" /><p>\n";
$page_body .= "<p><input type=\"password\" name=\"pass\" size=\"16\" /><p>\n";
$page_body .= "<input name=\"loginbtn\" value=\"Login\" type=\"submit\" />\n";
$page_body .= "</form>\n";
$page_body .= "</div>\n";

0 comments on commit 348c185

Please sign in to comment.