I used Praneeth Madush Advanced-PHP-Login-System script in my projects. This script based on user class. This class contains four functions. This functions seams don't use MySQL Prepared Statements. This script appears to be a security risk. For example this is insert function:
public function insert($data){
if(!empty($data) && is_array($data)){
$columns = '';
$values = '';
$i = 0;
if(!array_key_exists('created',$data)){
$data['created'] = date("Y-m-d H:i:s");
}
if(!array_key_exists('modified',$data)){
$data['modified'] = date("Y-m-d H:i:s");
}
foreach($data as $key=>$val){
$pre = ($i > 0)?', ':'';
$columns .= $pre.$key;
$values .= $pre."'".$val."'";
$i++;
}
$query = "INSERT INTO ".$this->userTbl." (".$columns.") VALUES (".$values.")";
$insert = $this->db->query($query);
return $insert?$this->db->insert_id:false;
}else{
return false;
}
}
My question is this script secure? What are the bugs in this script? Is it resistant to SQL injection attack?
Yes it is vulnerable to SQL injections, if user can input anything in $data and it isn't modified. exemple:
//i guess 2 values :
$val[column1]="x',select password from mysql.user where user=’root’);--";
$val[column2]='doesntmatter';
//then:
$values="'x',select password from mysql.user where user=’root’);--,'doesntmatter'";
//then your query will be :
$query = "INSERT INTO ('column1','column2') `usertable` VALUES ('x',select password from mysql.user where user=’root’);--,'doesntmatter'
Here I just replaced column2 value by the user password of your database and I would have that nicly print on my user account of your site. But that's just one thing, if anything can be input everything can come out.
For bugs just run the thing and we might help you with errors.