Time-Based Blind SQL Injection in /login.php

### Time-Based Blind SQL Injection in /login.php

**Describe the bug**  
A time-based blind SQL injection vulnerability exists in `/login.php`. The script directly concatenates user-supplied `username` and `password` parameters into the SQL query without any sanitization or parameterized binding. Although the code performs a strict type comparison after fetching the stored credentials (preventing a simple login bypass), an attacker can exploit the injection to extract sensitive data from the database using time‑based techniques.

**Steps to reproduce**  
1. Set up the project and ensure the database is initialized (preset admin account `admin` / `admin123` is available, but any login page is reachable).  
2. Send the following POST request to `http://127.0.0.1:3000/login.php` using a tool like Burp Suite, curl, or Postman:  

POST /login.php HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/x-www-form-urlencoded

login=Sign+in&username=admin' OR SLEEP(5) AND '1'='1&password=any

3. Observe the server response time. A delay of approximately 5 seconds confirms the vulnerability.

**Describe the solution**  
To fix this vulnerability, always use parameterized queries (prepared statements) to separate SQL logic from user input.

Recommended fix (using MySQLi with prepared statements):  
```php
$stmt = $conn->prepare("SELECT * FROM login_tbl WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();

Alternatively, use PDO with prepared statements. Never concatenate $_POST values directly into SQL queries.

Screenshots
![](https://pic1.imgdb.cn/item/69bb00b998447adc351b2ad1.png)
![](https://pic1.imgdb.cn/item/69bb00e698447adc351b2ad6.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Time-Based Blind SQL Injection in /login.php #240