From e625776c0bdd72137a396cb97098c5969ddcc303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Jochim?= Date: Fri, 11 Dec 2020 13:19:36 +0100 Subject: [PATCH 1/2] Fix Vector 1 - Login Page: SQL Injection - admin / ' OR '1' = '1 --- login.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/login.php b/login.php index 0dce5fc..96eb383 100644 --- a/login.php +++ b/login.php @@ -2,8 +2,13 @@ function login($username, $password) { global $db; - $query = "select `id` from `users` where `username` = '$username' AND `password` = '$password'"; - $result = $db->query($query); + $query = "select `id` from `users` where `username` = ? AND `password` = ?"; + + $stmt = $db->prepare($query); + $stmt->bind_param("ss", $username, $password); + $stmt->execute(); + $result = $stmt->get_result(); + if ($result->num_rows > 0 && $row = $result->fetch_assoc()) { $_SESSION['logged_in'] = true; $_SESSION['userid'] = $row['id']; From 50218251f052a20f95436938d6f6524d5c7023c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Jochim?= Date: Fri, 11 Dec 2020 13:20:50 +0100 Subject: [PATCH 2/2] Fix Vector 2 - Guestbook: XSS + SQL Injection --- guestbook.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/guestbook.php b/guestbook.php index 5cc2e59..39b24a8 100644 --- a/guestbook.php +++ b/guestbook.php @@ -13,14 +13,19 @@ if(isset($_POST['entry']) && $_POST['entry'] != "") { $id = $_SESSION['userid']; - $entry = $_POST['entry']; + $entry = strip_tags($_POST['entry']); $query = "select * from `users` where `id` = '$id' LIMIT 1"; $result = $db->query($query); if ($row = $result->fetch_assoc()) { $username = $row['username']; } - $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES ('$username', '$entry');"; - $result = $db->query($query); + $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES (?, ?);"; + + $stmt = $db->prepare($query); + $stmt->bind_param("ss", $username, $entry); + $stmt->execute(); + $result = $stmt->get_result(); + $db->commit(); print('