Bad code

1. <?php
2.  
3. /**
4. Here are the security vulnerabilities I've included:
5.  
6. Hardcoded credentials - Database credentials are hardcoded in the source code
7. Insecure session handling - No secure session flags set
8. SQL Injection - Direct string concatenation in SQL queries
9. Insecure session storage - Storing user ID directly in session without validation
10. Plain text passwords - No password hashing
11. No CSRF protection - Missing CSRF tokens for form submissions
12. Weak authentication - Simple session checks without additional validation
13. Multiple SQL Injection points - Throughout various methods
14. Insecure deserialization - Using PHP's unserialize() on data from database
15. XSS vulnerabilities - No input sanitization or output escaping
16. Broken access control - Weak privilege checks
17. Incomplete logout - Session not properly destroyed
18. Insecure password reset - Weak token generation and handling
19. Information exposure - Returning sensitive data directly
20. No input validation - Missing validation throughout the code
21. **/
22.  
23. class User {
24.     // Public properties - no encapsulation
25.     public $username;
26.     public $password;
27.     public $userId;
28.     public $isLoggedIn = false;
29.     public $dbConnection;
30.    
31.     /**
32.      * Constructor - sets up database connection
33.      */
34.     public function __construct() {
35.         // Hardcoded database credentials - vulnerability #1
36.         $this->dbConnection = new mysqli("localhost", "root", "password123", "user_db");
37.        
38.         // No connection error handling
39.        
40.         // Start session without security flags - vulnerability #2
41.         session_start();
42.     }
43.    
44.     /**
45.      * Login user with provided credentials
46.      * Contains SQL Injection vulnerability
47.      */
48.     public function login($username, $password) {
49.         $this->username = $username;
50.         $this->password = $password;
51.        
52.         // SQL Injection vulnerability #3 - direct string concatenation
53.         $query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
54.         $result = $this->dbConnection->query($query);
55.        
56.         if ($result && $result->num_rows > 0) {
57.             $userData = $result->fetch_assoc();
58.             $this->userId = $userData['id'];
59.             $this->isLoggedIn = true;
60.            
61.             // Store plain user ID in session - vulnerability #4
62.             $_SESSION['user_id'] = $this->userId;
63.            
64.             // Unsalted, unhashed password storage/comparison - vulnerability #5
65.            
66.             // No CSRF token - vulnerability #6
67.            
68.             return true;
69.         }
70.        
71.         return false;
72.     }
73.    
74.     /**
75.      * Check if user is logged in
76.      * Vulnerable to session hijacking
77.      */
78.     public function isAuthenticated() {
79.         // Simple session check without additional validation - vulnerability #7
80.         if (isset($_SESSION['user_id'])) {
81.             $this->userId = $_SESSION['user_id'];
82.             $this->isLoggedIn = true;
83.             return true;
84.         }
85.        
86.         return false;
87.     }
88.    
89.     /**
90.      * Get user preferences
91.      * Contains security vulnerabilities
92.      */
93.     public function getPreferences() {
94.         if (!$this->isLoggedIn && !$this->isAuthenticated()) {
95.             return false;
96.         }
97.        
98.         // SQL Injection vulnerability #8
99.         $query = "SELECT preferences FROM user_preferences WHERE user_id = " . $this->userId;
100.         $result = $this->dbConnection->query($query);
101.        
102.         if ($result && $result->num_rows > 0) {
103.             $data = $result->fetch_assoc();
104.            
105.             // Insecure deserialization - vulnerability #9
106.             $preferences = unserialize($data['preferences']);
107.            
108.             return $preferences;
109.         }
110.        
111.         return array();
112.     }
113.    
114.     /**
115.      * Save user preferences
116.      * Contains security vulnerabilities
117.      */
118.     public function savePreferences($preferences) {
119.         if (!$this->isLoggedIn && !$this->isAuthenticated()) {
120.             return false;
121.         }
122.        
123.         // XSS vulnerability #10 - no input sanitization
124.         $serialized = serialize($preferences);
125.        
126.         // SQL Injection vulnerability #11
127.         $query = "UPDATE user_preferences SET preferences = '" . $serialized . "' WHERE user_id = " . $this->userId;
128.        
129.         return $this->dbConnection->query($query);
130.     }
131.    
132.     /**
133.      * Output user profile info
134.      * XSS vulnerability
135.      */
136.     public function displayProfile() {
137.         if (!$this->isLoggedIn && !$this->isAuthenticated()) {
138.             return false;
139.         }
140.        
141.         // SQL Injection vulnerability #12
142.         $query = "SELECT * FROM users WHERE id = " . $this->userId;
143.         $result = $this->dbConnection->query($query);
144.        
145.         if ($result && $result->num_rows > 0) {
146.             $userData = $result->fetch_assoc();
147.            
148.             // XSS vulnerability #13 - direct echo of user-provided content
149.             echo "<h1>Welcome, " . $userData['username'] . "</h1>";
150.             echo "<p>Email: " . $userData['email'] . "</p>";
151.            
152.             // More potential XSS vulnerabilities...
153.         }
154.     }
155.    
156.     /**
157.      * Log out the current user
158.      * Security issues with session handling
159.      */
160.     public function logout() {
161.         // Incomplete session destruction - vulnerability #14
162.         unset($_SESSION['user_id']);
163.        
164.         // Not using session_destroy()
165.         // Not clearing cookies properly
166.         // Not regenerating session ID
167.        
168.         $this->isLoggedIn = false;
169.         $this->userId = null;
170.        
171.         return true;
172.     }
173.    
174.     /**
175.      * Reset user password
176.      * Insecure implementation
177.      */
178.     public function resetPassword($email) {
179.         // SQL Injection vulnerability #15
180.         $query = "SELECT id FROM users WHERE email = '" . $email . "'";
181.         $result = $this->dbConnection->query($query);
182.        
183.         if ($result && $result->num_rows > 0) {
184.             $userData = $result->fetch_assoc();
185.             $userId = $userData['id'];
186.            
187.             // Generate weak token - vulnerability #16
188.             $resetToken = md5(time() . $email);
189.            
190.             // Store token insecurely - vulnerability #17
191.             $updateQuery = "UPDATE users SET reset_token = '" . $resetToken . "' WHERE id = " . $userId;
192.             $this->dbConnection->query($updateQuery);
193.            
194.             // Email sent with direct link containing token - vulnerability #18
195.             // No token expiration - vulnerability #19
196.            
197.             return $resetToken; // Should never return the token!
198.         }
199.        
200.         return false;
201.     }
202. }
203.  
204. // Example usage:
205. /*
206. $user = new User();
207.  
208. // Login
209. if ($user->login($_POST['username'], $_POST['password'])) {
210.     echo "Login successful!";
211.    
212.     // Get preferences
213.     $prefs = $user->getPreferences();
214.    
215.     // Display profile (vulnerable to XSS)
216.     $user->displayProfile();
217.    
218.     // Save new preference (vulnerable to SQL injection and XSS)
219.     $prefs['theme'] = $_GET['theme'];
220.     $user->savePreferences($prefs);
221. }
222. */
223. ?>