Fix SQL injection in login using prepared statements part 2

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "report/AUThReport"]
+	path = report/AUThReport
+	url = ssh://git@git.hoo2.net:222/hoo2/AUThReport.git

passman-dev/php/passman/login.php

@@ -26,16 +26,22 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// xxx' OR 1=1; -- '
+		// SQL injection mitigation: use a prepared statement with bound parameters.
-		$sql_query = "SELECT * FROM login_users WHERE username='{$username}' AND password='{$password}';";
+		// User input is treated strictly as data, not as part of the SQL syntax.
-		//echo $sql_query;
+		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
 
-		// Check if the credentials are valid
+		if ($stmt === false) {
-		$result = $conn->query($sql_query);
+			// Fail closed (do not leak details in production).
+			die("Prepare failed.");
+		}
+
+		$stmt->bind_param("ss", $username, $password);
+		$stmt->execute();
+		$stmt->store_result();   // Needed to use $stmt->num_rows
 		unset($_POST['username']);
 		unset($_POST['password']);
 
-		if (!empty($result) && $result->num_rows >= 1) {
+		if ($stmt->num_rows >= 1) {
 			// Regenerate session ID to prevent session fixation!
 			//session_regenerate_id(true);
 
@@ -48,8 +54,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			//	$_SESSION['user_id'] = $row['id'];
 			//}
 
-			// Free result set
+			// Close
-			$result -> free_result();
+			$stmt->close();
 			$conn -> close();
 
 			// Redirect to a dashboard page
@@ -58,7 +64,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		} else {
 			$login_message = "Invalid username or password";
 		}
-
+		$stmt->close();
 		$conn -> close();
 	}
 }

report/.gitignore

@@ -0,0 +1,6 @@
+# Report related files
+*.aux
+*.out
+*.log
+*.synctex.gz
+_minted-report/*

report/AUThReport

@@ -0,0 +1 @@
+Subproject commit 74ec4b5f6c66382e5f1b6d2e6930897e4ed53ea6