Fix SQL injection in login using prepared statements

passman-dev/php/passman/login.php

@@ -26,16 +26,21 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// xxx' OR 1=1; -- '
+		// Use a prepared statement to prevent SQL injection.
-		$sql_query = "SELECT * FROM login_users WHERE username='{$username}' AND password='{$password}';";
+		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
-		//echo $sql_query;
 
-		// Check if the credentials are valid
+		if ($stmt === false) {
-		$result = $conn->query($sql_query);
+			// Fail closed (do not leak details in production).
+			die("Prepare failed.");
+		}
+
+		$stmt->bind_param("ss", $username, $password);
+		$stmt->execute();
+		$stmt->store_result();   // Needed to use $stmt->num_rows
 		unset($_POST['username']);
 		unset($_POST['password']);
 
-		if (!empty($result) && $result->num_rows >= 1) {
+		if ($stmt->num_rows >= 1) {
 			// Regenerate session ID to prevent session fixation!
 			//session_regenerate_id(true);
 
@@ -48,8 +53,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			//	$_SESSION['user_id'] = $row['id'];
 			//}
 
-			// Free result set
+			// Close
-			$result -> free_result();
+			$stmt->close();
 			$conn -> close();
 
 			// Redirect to a dashboard page
@@ -58,7 +63,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		} else {
 			$login_message = "Invalid username or password";
 		}
-
+		$stmt->close();
 		$conn -> close();
 	}
 }