ALGhVSFp

· 10 months ago · Feb 26, 2025, 02:50 PM
1<?php
2
3/**
4Here are the security vulnerabilities I've included:
5
6Hardcoded credentials - Database credentials are hardcoded in the source code
7Insecure session handling - No secure session flags set
8SQL Injection - Direct string concatenation in SQL queries
9Insecure session storage - Storing user ID directly in session without validation
10Plain text passwords - No password hashing
11No CSRF protection - Missing CSRF tokens for form submissions
12Weak authentication - Simple session checks without additional validation
13Multiple SQL Injection points - Throughout various methods
14Insecure deserialization - Using PHP's unserialize() on data from database
15XSS vulnerabilities - No input sanitization or output escaping
16Broken access control - Weak privilege checks
17Incomplete logout - Session not properly destroyed
18Insecure password reset - Weak token generation and handling
19Information exposure - Returning sensitive data directly
20No input validation - Missing validation throughout the code
21**/
22
23class User {
24    // Public properties - no encapsulation
25    public $username;
26    public $password;
27    public $userId;
28    public $isLoggedIn = false;
29    public $dbConnection;
30    
31    /**
32     * Constructor - sets up database connection
33     */
34    public function __construct() {
35        // Hardcoded database credentials - vulnerability #1
36        $this->dbConnection = new mysqli("localhost", "root", "password123", "user_db");
37        
38        // No connection error handling
39        
40        // Start session without security flags - vulnerability #2
41        session_start();
42    }
43    
44    /**
45     * Login user with provided credentials
46     * Contains SQL Injection vulnerability
47     */
48    public function login($username, $password) {
49        $this->username = $username;
50        $this->password = $password;
51        
52        // SQL Injection vulnerability #3 - direct string concatenation
53        $query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
54        $result = $this->dbConnection->query($query);
55        
56        if ($result && $result->num_rows > 0) {
57            $userData = $result->fetch_assoc();
58            $this->userId = $userData['id'];
59            $this->isLoggedIn = true;
60            
61            // Store plain user ID in session - vulnerability #4
62            $_SESSION['user_id'] = $this->userId;
63            
64            // Unsalted, unhashed password storage/comparison - vulnerability #5
65            
66            // No CSRF token - vulnerability #6
67            
68            return true;
69        }
70        
71        return false;
72    }
73    
74    /**
75     * Check if user is logged in
76     * Vulnerable to session hijacking
77     */
78    public function isAuthenticated() {
79        // Simple session check without additional validation - vulnerability #7
80        if (isset($_SESSION['user_id'])) {
81            $this->userId = $_SESSION['user_id'];
82            $this->isLoggedIn = true;
83            return true;
84        }
85        
86        return false;
87    }
88    
89    /**
90     * Get user preferences
91     * Contains security vulnerabilities
92     */
93    public function getPreferences() {
94        if (!$this->isLoggedIn && !$this->isAuthenticated()) {
95            return false;
96        }
97        
98        // SQL Injection vulnerability #8
99        $query = "SELECT preferences FROM user_preferences WHERE user_id = " . $this->userId;
100        $result = $this->dbConnection->query($query);
101        
102        if ($result && $result->num_rows > 0) {
103            $data = $result->fetch_assoc();
104            
105            // Insecure deserialization - vulnerability #9
106            $preferences = unserialize($data['preferences']);
107            
108            return $preferences;
109        }
110        
111        return array();
112    }
113    
114    /**
115     * Save user preferences
116     * Contains security vulnerabilities
117     */
118    public function savePreferences($preferences) {
119        if (!$this->isLoggedIn && !$this->isAuthenticated()) {
120            return false;
121        }
122        
123        // XSS vulnerability #10 - no input sanitization
124        $serialized = serialize($preferences);
125        
126        // SQL Injection vulnerability #11
127        $query = "UPDATE user_preferences SET preferences = '" . $serialized . "' WHERE user_id = " . $this->userId;
128        
129        return $this->dbConnection->query($query);
130    }
131    
132    /**
133     * Output user profile info
134     * XSS vulnerability
135     */
136    public function displayProfile() {
137        if (!$this->isLoggedIn && !$this->isAuthenticated()) {
138            return false;
139        }
140        
141        // SQL Injection vulnerability #12
142        $query = "SELECT * FROM users WHERE id = " . $this->userId;
143        $result = $this->dbConnection->query($query);
144        
145        if ($result && $result->num_rows > 0) {
146            $userData = $result->fetch_assoc();
147            
148            // XSS vulnerability #13 - direct echo of user-provided content
149            echo "<h1>Welcome, " . $userData['username'] . "</h1>";
150            echo "<p>Email: " . $userData['email'] . "</p>";
151            
152            // More potential XSS vulnerabilities...
153        }
154    }
155    
156    /**
157     * Log out the current user
158     * Security issues with session handling
159     */
160    public function logout() {
161        // Incomplete session destruction - vulnerability #14
162        unset($_SESSION['user_id']);
163        
164        // Not using session_destroy()
165        // Not clearing cookies properly
166        // Not regenerating session ID
167        
168        $this->isLoggedIn = false;
169        $this->userId = null;
170        
171        return true;
172    }
173    
174    /**
175     * Reset user password
176     * Insecure implementation
177     */
178    public function resetPassword($email) {
179        // SQL Injection vulnerability #15
180        $query = "SELECT id FROM users WHERE email = '" . $email . "'";
181        $result = $this->dbConnection->query($query);
182        
183        if ($result && $result->num_rows > 0) {
184            $userData = $result->fetch_assoc();
185            $userId = $userData['id'];
186            
187            // Generate weak token - vulnerability #16
188            $resetToken = md5(time() . $email);
189            
190            // Store token insecurely - vulnerability #17
191            $updateQuery = "UPDATE users SET reset_token = '" . $resetToken . "' WHERE id = " . $userId;
192            $this->dbConnection->query($updateQuery);
193            
194            // Email sent with direct link containing token - vulnerability #18
195            // No token expiration - vulnerability #19
196            
197            return $resetToken; // Should never return the token!
198        }
199        
200        return false;
201    }
202}
203
204// Example usage:
205/*
206$user = new User();
207
208// Login
209if ($user->login($_POST['username'], $_POST['password'])) {
210    echo "Login successful!";
211    
212    // Get preferences
213    $prefs = $user->getPreferences();
214    
215    // Display profile (vulnerable to XSS)
216    $user->displayProfile();
217    
218    // Save new preference (vulnerable to SQL injection and XSS)
219    $prefs['theme'] = $_GET['theme'];
220    $user->savePreferences($prefs);
221}
222*/
223?>