Added command injection example and secured examples

author: marcinzelent <zelent.marcin@gmail.com> 2018-06-16 22:50:18 +0200
committer: marcinzelent <zelent.marcin@gmail.com> 2018-06-16 22:50:18 +0200
commit: b0cf064f819357feedc77d6d5eb0de49e122554a (patch)
tree: 2ba0defb81576326dbc25736174100bfd43f677c /examples-secure/sql-injection/login.php
parent: 7d93b9b60f0923b0f895d63b2d456b279a6ab774 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/examples-secure/sql-injection/login.php b/examples-secure/sql-injection/login.php
new file mode 100644
index 0000000..f0340e3
--- /dev/null
+++ b/examples-secure/sql-injection/login.php
@@ -0,0 +1,25 @@
+<?php
+   class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('users.db');
+      }
+   }
+
+   if(isset($_POST['email'], $_POST['pass']))
+   {
+	$email = $_POST['email'];
+	$pass = $_POST['pass'];
+
+	$db = new MyDB();
+
+	$sql = $db->prepare('SELECT * FROM Users WHERE email=:email AND password=:pass');
+	$sql->bindValue(':email', $email, SQLITE3_TEXT);
+	$sql->bindValue(':pass', $pass, SQLITE3_TEXT);
+
+	$ret = $sql->execute();
+	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+		echo 'Logged in as '.$row['email'].'<br>';
+	}
+	$db->close();
+   }
+?>
author	marcinzelent <zelent.marcin@gmail.com>	2018-06-16 22:50:18 +0200
committer	marcinzelent <zelent.marcin@gmail.com>	2018-06-16 22:50:18 +0200
commit	b0cf064f819357feedc77d6d5eb0de49e122554a (patch)
tree	2ba0defb81576326dbc25736174100bfd43f677c /examples-secure/sql-injection/login.php
parent	7d93b9b60f0923b0f895d63b2d456b279a6ab774 (diff)