Skip to content

Commit

Permalink
Fixed some bugs and SQL injection.
Browse files Browse the repository at this point in the history
  • Loading branch information
ItsTristan committed Apr 4, 2015
1 parent 45d5889 commit bfba26b
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 3 deletions.
5 changes: 3 additions & 2 deletions _login.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@ function redirect() {
require ('_database.php');
$user = $_POST['user'];
$pass = $_POST['pass'];
// <-- Bad.

$query = "SELECT user_name, class, person_id FROM users WHERE user_name = '$user' AND password = '$pass'";
$query = "SELECT user_name, class, person_id FROM users WHERE user_name = :username AND password = :password";

$statement = oci_parse($connection, $query);
oci_bind_by_name($statement, ':username', $user);
oci_bind_by_name($statement, ':password', $pass);
$results = oci_execute($statement);

// Did we get a valid result?
Expand Down
1 change: 1 addition & 0 deletions setup.sql
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ DROP TABLE users;
DROP TABLE persons;
DROP SEQUENCE record_id_seq;
DROP SEQUENCE image_id_seq;
DROP SEQUENCE person_id_seq;

/*
* To store the personal information
Expand Down
2 changes: 1 addition & 1 deletion users.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
</p>
<div>
<form id="searchform" required="1" name="search_users" method="get" action="<?php $PHP_SELF ?>" >
<input type="text" name="q" />
<input type="text" name="q" value="<?php echo $_GET['q']; ?>" />
<input type="submit" value="Search" />
</form>
</div>
Expand Down

0 comments on commit bfba26b

Please sign in to comment.