-1
<?php
session_start();
require('actions/database.php');

if(isset($_POST['validate'])){
    //verifier que tous les champs du formulaire sont remplis

    if(!empty($_POST['pseudo']) AND  !empty($_POST['password'])) {
       //les donnees de l'user
        $user_pseudo =htmlspecialchars($_POST['pseudo']);
        $user_password =htmlspecialchars($_POST['password']);
       //verifier via le pseudo si l'utilisateur existe
        $CheckIfUserExists =$bdd->prepare('SELECT * FROM `users` WHERE pseudo=?');
        $CheckIfUserExists->execute(array($user_pseudo));
        if($CheckIfUserExists->rowCount() >0){
            $user_infos=$CheckIfUserExists->fetch();
            //verifier le password
            if(password_verify($user_password , $user_infos['mdp'])){
                //password correct on authetifie l'user
                $_SESSION['auth']=true;
                $_SESSION['id'] =$user_infos['id'];
                $_SESSION['lastname'] =$user_infos['nom'];
                $_SESSION['firstname'] =$user_infos['prenom'];
                $_SESSION['pseudo'] =$user_infos['pseudo'];
                //rediriger l'utilisateur vers la page d acceuil
                header("Location: index.php");

            }else{
                $errormsg="Votre mot de passe est incorrect";
            }

        }else{
            $errormsg="Votre pseudo est incorrect/ $user_pseudo, $user_password";
        }




    }else{
        $errormsg ="Veuillez completer tous les champs";
    }
}

I'm trying a SQLi to bypass login or extract data , i think the query i inject is not recognised , maybe because of the htmlspecialchars , if there's a way to do any sql injection , how can i prevent it ?

help

Augustin
  • 115
  • 1
  • 6
  • 1
    Using a prepared statement with parameters prevents SQL injection. – Barmar Oct 06 '22 at 17:11
  • 2
    htmlspecialchars has absolutely nothing to do with sql injection, I don't know where you got that idea from. It can help with preventing XSS attacks, which is a totally separate issue. Its use in this code, however, is completely inappropriate in the place it's being used, it's an output encoder not an input filter. Used as it is here it could even corrupt the data before it's stored in the database – ADyson Oct 06 '22 at 17:13
  • Meanwhile, this code should not be vulnerable to any sql injection because of the correct usage of prepared statements and parameters when writing the query. – ADyson Oct 06 '22 at 17:13
  • 1
    Reference: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – ADyson Oct 06 '22 at 17:14

1 Answers1

0

If you want to allow SQL injection, you have to substitute the parameter directly into the query, instead of using a prepared statement with parameters.

$CheckIfUserExists =$bdd->query('SELECT * FROM `users` WHERE pseudo= "$user_pseudo"');
Barmar
  • 741,623
  • 53
  • 500
  • 612