Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Identify at least two different security vulnerabilities in the code. Explain the vulnerabilities youve found and explain how they could be exploited and how youd

Identify at least two different security vulnerabilities in the code. Explain the vulnerabilities youve found and explain how they could be exploited and how youd fix them.

// Define variables and initialize with empty values $username = $password = ""; $username_err = $password_err = "";

// Processing form data when form is submitted if($_SERVER["REQUEST_METHOD"] == "POST"){

// Check if username is empty if(empty(trim($_POST["username"]))){ $username_err = 'Please enter username.'; } else{ $username = trim($_POST["username"]); }

// Check if password is empty if(empty(trim($_POST['password']))){ $password_err = 'Please enter your password.'; } else{ $password = trim($_POST['password']); }

// Validate credentials if(empty($username_err) && empty($password_err)){ // Prepare a select statement $sql = "SELECT username, password FROM users WHERE username = ?";

if($stmt = mysqli_prepare($link, $sql)){ // Bind variables to the prepared statement as parameters mysqli_stmt_bind_param($stmt, "s", $param_username);

// Set parameters $param_username = $username;

// Attempt to execute the prepared statement if(mysqli_stmt_execute($stmt)){ // Store result mysqli_stmt_store_result($stmt);

// Check if username exists, if yes then verify password if(mysqli_stmt_num_rows($stmt) == 1){ // Bind result variables mysqli_stmt_bind_result($stmt, $username, $hashed_password); if(mysqli_stmt_fetch($stmt)){ if(password_verify($password, $hashed_password)){ /* Password is correct, so start a new session and save the username to the session */ openlog('Lab4c', LOG_NDELAY, LOG_USER); syslog(LOG_NOTICE, "Valid login"); session_start(); $_SESSION['username'] = $username; header("location: welcome.php"); } else{ // Display an error message if password is not valid $password_err = 'The password you entered was not valid.'; openlog('Lab4c', LOG_NDELAY, LOG_USER); syslog(LOG_ERR, "Invalid credentials") } } } else{ // Display an error message if username doesn't exist $username_err = 'No account found with that username.'; } } else{ echo "Oops! Something went wrong. Please try again later."; } }

// Close statement mysqli_stmt_close($stmt); }

// Close connection mysqli_close($link); } ?>

Login

Login

Please fill in your credentials to login.

" method="post">

Don't have an account? Sign up now.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Time Series Databases New Ways To Store And Access Data

Authors: Ted Dunning, Ellen Friedman

1st Edition

1491914726, 978-1491914724

More Books

Students also viewed these Databases questions

Question

7. Explain why retirees may be valuable as part-time employees.

Answered: 1 week ago

Question

3. Provide advice on how to help a plateaued employee.

Answered: 1 week ago