why are you adding slashes to the password before converting it into md5? even if they have ' in the password the md5 would get rid of it when you use it in the query.
$uid=$_COOKIE['uid'];
$uname=$_COOKIE['uname'];
$sql="SELECT * FROM users WHERE username='$uname'";
The $uname is set from the value of 'uname' in the $_COOKIE array, but I see no input validation here.
If I were an evil attacker, I could send arbitrary cookie data to the server, it would end up in the $_COOKIE superglobal. If I include some SQL code, ... All input is evil!
Later, in the welcome.php the $_COOKIE['uname'] is echoed without any escapes.
No, that's not a problem. It's a disaster. Whoever wrote that should be shot. If you're going to stick things from a cookie into your database, at least have enough brains to use a prepared statement.
Use mysql_real_escape_string() instead of addslashes(). And the cookie contents can't be trusted. The usual way to do this is with a server-side session, but if a cookie is used the user id and name have to be protected; MD5 can be used to do that, too.
6 comments
[ 3.3 ms ] story [ 14.4 ms ] threadIf I were an evil attacker, I could send arbitrary cookie data to the server, it would end up in the $_COOKIE superglobal. If I include some SQL code, ... All input is evil!
Later, in the welcome.php the $_COOKIE['uname'] is echoed without any escapes.
No, that's not a problem. It's a disaster. Whoever wrote that should be shot. If you're going to stick things from a cookie into your database, at least have enough brains to use a prepared statement.