.gitmodules

@@ -1,3 +0,0 @@
-[submodule "report/AUThReport"]
-	path = report/AUThReport
-	url = ssh://git@git.hoo2.net:222/hoo2/AUThReport.git

passman-dev/php/passman/login.php

@@ -26,22 +26,16 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// SQL injection mitigation: use a prepared statement with bound parameters.
-		// User input is treated strictly as data, not as part of the SQL syntax.
-		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
+		// xxx' OR 1=1; -- '
+		$sql_query = "SELECT * FROM login_users WHERE username='{$username}' AND password='{$password}';";
+		//echo $sql_query;
 
-		if ($stmt === false) {
-			// Fail closed (do not leak details in production).
-			die("Prepare failed.");
-		}
-
-		$stmt->bind_param("ss", $username, $password);
-		$stmt->execute();
-		$stmt->store_result();   // Needed to use $stmt->num_rows
+		// Check if the credentials are valid
+		$result = $conn->query($sql_query);
 		unset($_POST['username']);
 		unset($_POST['password']);
 
-		if ($stmt->num_rows >= 1) {
+		if (!empty($result) && $result->num_rows >= 1) {
 			// Regenerate session ID to prevent session fixation!
 			//session_regenerate_id(true);
 
@@ -54,8 +48,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			//	$_SESSION['user_id'] = $row['id'];
 			//}
 
-			// Close
-			$stmt->close();
+			// Free result set
+			$result -> free_result();
 			$conn -> close();
 
 			// Redirect to a dashboard page
@@ -64,7 +58,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		} else {
 			$login_message = "Invalid username or password";
 		}
-		$stmt->close();
+
 		$conn -> close();
 	}
 }

report/.gitignore

@@ -1,6 +0,0 @@
-# Report related files
-*.aux
-*.out
-*.log
-*.synctex.gz
-_minted-report/*

report/AUThReport

@@ -1 +0,0 @@
-Subproject commit 74ec4b5f6c66382e5f1b6d2e6930897e4ed53ea6