"We're replacing an old PHP website," writes Roggo, "to examine the existing functionality and test the install, we were given access to the live site. Out of curiosity, I had a look at the code that we are soon to replace. The first file I opened was called mug_password_forgotten.php; I was greeted by line 8:"

$sql = "select muguser_id, muguser_directory " . 
       "from mugusers " . 
       "where muguser_active = 1 " . 
       " and muguser_email = '" . $_POST["email"] . "' ";

mug.php. This file revealed that the developers of MUG had been aware of the dangers of SQL injection attacks, and that they'd put safeguards in place."

$link = "index.php";

$u = $_POST["username"];
$p = $_POST["password"];

//prevent sql injection
if(strpos($u, " ") > 0 or strpos($p, " ") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, "'") > 0 or strpos($p, "'") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, "\"") > 0 or strpos($p, "\"") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, "or ") > 0 or strpos($p, "or ") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, " or") > 0 or strpos($p, " or") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, " or ") > 0 or strpos($p, " or ") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, "OR ") > 0 or strpos($p, "OR ") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, " OR") > 0 or strpos($p, " OR") > 0) {
	header("location:$link");
	exit;
}
elseif(strpos($u, " OR ") > 0 or strpos($p, " OR ") > 0) {
	header("location:$link");
	exit;
}

Roggo continues, "why this industrious solution was not copied over to mug_password_forgotten.php, I can only speculate. The Real WTF, however, is that they are using string comparisons to secure the site against SQL injection attacks. Every child knows this is insecure and that Best Practice would be to harness the power of regular expressions. I'd use the expression /(OR)?[' "](OR)?/i due to its pleasing symmetry and its faithful reproduction of the original idea." "