From 75f47a76b06aad8cb4039e3fbeb427658a3c22ee Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sat, 10 Jan 2026 22:31:10 +0200
Subject: [PATCH] Fix SQL injection in login using prepared statements

---
 passman-dev/php/passman/login.php | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/passman-dev/php/passman/login.php b/passman-dev/php/passman/login.php
index 6552171..5f8aadf 100644
--- a/passman-dev/php/passman/login.php
+++ b/passman-dev/php/passman/login.php
@@ -26,16 +26,21 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// xxx' OR 1=1; -- '
-		$sql_query = "SELECT * FROM login_users WHERE username='{$username}' AND password='{$password}';";
-		//echo $sql_query;
+		// Use a prepared statement to prevent SQL injection.
+		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
 
-		// Check if the credentials are valid
-		$result = $conn->query($sql_query);
+		if ($stmt === false) {
+			// Fail closed (do not leak details in production).
+			die("Prepare failed.");
+		}
+
+		$stmt->bind_param("ss", $username, $password);
+		$stmt->execute();
+		$stmt->store_result();   // Needed to use $stmt->num_rows
 		unset($_POST['username']);
 		unset($_POST['password']);
 
-		if (!empty($result) && $result->num_rows >= 1) {
+		if ($stmt->num_rows >= 1) {
 			// Regenerate session ID to prevent session fixation!
 			//session_regenerate_id(true);
 
@@ -48,8 +53,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			//	$_SESSION['user_id'] = $row['id'];
 			//}
 
-			// Free result set
-			$result -> free_result();
+			// Close
+			$stmt->close();
 			$conn -> close();
 
 			// Redirect to a dashboard page
@@ -58,7 +63,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		} else {
 			$login_message = "Invalid username or password";
 		}
-
+		$stmt->close();
 		$conn -> close();
 	}
 }