6 comments

[ 3.3 ms ] story [ 14.4 ms ] thread
why are you adding slashes to the password before converting it into md5? even if they have ' in the password the md5 would get rid of it when you use it in the query.
In the verifier.php I see a problem here:

    $uid=$_COOKIE['uid'];
    $uname=$_COOKIE['uname'];
    $sql="SELECT * FROM users WHERE username='$uname'";

The $uname is set from the value of 'uname' in the $_COOKIE array, but I see no input validation here.

If I were an evil attacker, I could send arbitrary cookie data to the server, it would end up in the $_COOKIE superglobal. If I include some SQL code, ... All input is evil!

Later, in the welcome.php the $_COOKIE['uname'] is echoed without any escapes.

> I see a problem here:

No, that's not a problem. It's a disaster. Whoever wrote that should be shot. If you're going to stick things from a cookie into your database, at least have enough brains to use a prepared statement.

Use mysql_real_escape_string() instead of addslashes(). And the cookie contents can't be trusted. The usual way to do this is with a server-side session, but if a cookie is used the user id and name have to be protected; MD5 can be used to do that, too.