Posted by Bill Karwin on 08/22/06 15:50

Ignoramus20689 wrote:
> I am not a PHP expert (I do mod_perl), but it would seem that this
> code is likely to be a good candidate for SQL injection attack.

Possibly, unless $username and $password have been filtered already
using mysql_real_escape_string
(http://www.php.net/manual/en/function.mysql-real-escape-string.php) or
something like it. We don't see the code (presumably in include.php3)
that gets these values.

I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.

Also, are they forcing this page to connect via HTTPS? Otherwise,
passwords are being sent over the net in clear text.

To say nothing of the fact that they have allowed PHP code to be
returned to the browser.

Regards,
Bill K.

[Back to original message]