Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added sqlInjection prevention.
The login form parameter username was vulnerable.
SQLMap output:
---------------------
POST parameter 'myusername' is vulnerable.
sqlmap identified the following injection point(s) with a total of 910 HTTP(s) requests:
---
Parameter: myusername (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: myusername=uoev' RLIKE (SELECT (CASE WHEN (6566=6566) THEN 0x756f6576 ELSE 0x28 END)) AND 'cyMw'='cyMw&mypassword=&Submit=TzWk
---------------------

added prepared statement to prevent sql injection
  • Loading branch information
itmox committed Jan 10, 2016
1 parent c3b62db commit 0083ec6
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion login/scripts/class.loginscript.php
Expand Up @@ -28,6 +28,8 @@ public function emailPull($id) {

//Queries database
$estmt = $edb->conn->query("SELECT email, username FROM $tbl_name WHERE id = '$id'");
//http://www.w3schools.com/php/php_mysql_prepared_statements.asp


$eresult = $estmt->fetch(PDO::FETCH_ASSOC);

Expand All @@ -52,7 +54,11 @@ public function checkLogin($tbl_name, $myusername, $mypassword) {
$err = "Error: " . $e->getMessage();
}

$stmt = $stmt = $db->conn->query("SELECT * FROM $tbl_name WHERE username='$myusername'");
$stmt = $stmt = $db->conn->prepare("SELECT * FROM $tbl_name WHERE username= :myusername");
$stmt->bindParm(':myusername', $myusrname);
$myusrname = $myusername;
stmt->execute();


// Gets query result
$result = $stmt->fetch(PDO::FETCH_ASSOC);
Expand Down

0 comments on commit 0083ec6

Please sign in to comment.