<?php require('flags.php'); function authCred($u, $p) { if (isset($_POST['user']) && isset($_POST['passw'])) { if ($_POST['user'] === $u && $_POST['passw'] === $p) { return True; } else { return False; } } else { return False; } } function checkInj() { if (isset($_POST['user']) && isset($_POST['passw'])) { if ($_POST['passw'][0] == '"' || $_POST['passw'][0] == "'") { return True; } else { return False; } } else { return False; } } function checkInDatabase($query) { $handle = new SQLite3('secretDataBase.db'); $array['dbhandle'] = $handle; $array['query'] = $query; $result = $handle->query($query); $i = 0; while ($result->columnName($i)) { $columns[ ] = $result->columnName($i); $i++; } $resx = $result->fetchArray(SQLITE3_ASSOC); return $resx; } switch ($_COOKIE['currentLevel']) { case $flag_1: if (isset($_POST['thisUser'])) { echo $flag_2; } else { echo '0'; } break; case $flag_2: $badQuery = 'SELECT * FROM users WHERE username = "' . $_POST['user'] . '" and password = "' . $_POST['passw'] . '";'; if (strpos(strtoupper($_POST['passw']), 'UPDATE')) { $_POST['passw'] = ''; } if (strpos(strtoupper($_POST['passw']), 'DELETE')) { $_POST['passw'] = ''; } if (strpos(strtoupper($_POST['passw']), 'DROP')) { $_POST['passw'] = ''; } if (strpos(strtoupper($_POST['user']), 'UPDATE')) { $_POST['user'] = ''; } if (strpos(strtoupper($_POST['user']), 'DELETE')) { $_POST['user'] = ''; } if (strpos(strtoupper($_POST['user']), 'DROP')) { $_POST['user'] = ''; } if (checkInDatabase($badQuery)) { echo $flag_3; } else { echo '0'; } break; case $flag_3: break; case $flag_4: if (authCred('LarsIX', 'FXrm264!&Rdjka')) { echo $flag_5; } else { echo '0'; } break; default: if (authCred('admin', 'admin')) { echo $flag_1; } else { echo '0'; } } ?>