Intentional Insecure php login - Unclear direction

Question

For a website vulnerabilities class we have been tasked with designing a php login with a mysql database that is intentionally exploitable. While I have some basic programming knowledge, and I have a "functioning" login page, I'm unsure how to make it insecure? That is, any SQL injection type queries I enter don't seem to be accepted, and when I run an add-on such as "SQL Inject Me", it also does not find any issues. I understand the concepts of how to sanitize user input, &_POST, querying the server, etc... But I haven't an extremely difficult time making it "hackable". Believe me, hours were spent tweaking and trying different things to no avail. I think I'm just having a hard time understanding this conceptually, so I'm perhaps not moving in the right direction.

If someone is willing to point me in the right direction, or give me some pointers, I would appreciate it.

These are basic SQL injection attacks I'm trying to make it vulnerable to here.

    <?php
session_start();
// store session data
$_SESSION['views']=1;
?>

    <?php
    //retrieve session data
    // echo "Pageviews=". $_SESSION['views'];
    ?>

<?php
// Create connection
$con=mysqli_connect("localhost","root","","logins");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  $i=0;
  $userName = $_POST['username'];
  $userPass = $_POST['password'];

$result = mysqli_query($con,"SELECT * FROM users");

while($row = mysqli_fetch_array($result)){
    if($_POST['username'] == $row['Username'])
    {
    $i++;}
    if($_POST['password'] == $row['Password'])
    {
    $i++;}
    }

if($i>1){
echo "Winner";
}
else{
echo "Loser";}
//echo $row['Username'] . " " . $row['Password'];
//echo "<br>";


  //echo "<br>";
  //echo $_POST['username'];
  //echo "<br>";
  //echo $_POST['password'];
 // echo "<br>";


?>

Another Method I'm Dabling with:

<?php
session_start();
// store session data
$_SESSION['views']=1;
?>

    <?php
    //retrieve session data
    // echo "Pageviews=". $_SESSION['views'];
    ?>

<?php
// Create connection
$con=mysqli_connect("localhost","root","","logins");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$verify = mysqli_query($con,"SELECT * FROM users");

while($row = mysqli_fetch_array($verify))
  {
    if (($_POST["username"] == $row['Username']) and ($_POST["password"] == $row['Password']))
        {
        echo "Winner " .$row['Firstname']." " .$row['Lastname'];
        }

        else
        {
        echo "Failure";
        }
    }

mysqli_close($con);
?>

Answer 1

For a piece of code to be open to SQL injection you simply need to take user input (typically from a form) and pass it to the database without escaping it.

As the input is not escaped the user can break out of the intended query.

The most basic example of this in PHP/MySQL is as follows:

$mysqli->query("SELECT * FROM some_table WHERE some_column = '{$_POST['some_field']}'");

In your example it would be passing the posted username/password to a database query without escaping it.

For protecting from SQL injection in mysqli you can either use real_escape_string or prepared statements.

For a login system generally it is best practise to query the database and see if a match is found rather than looping through every username and password stored to see if there is a match. Imagine if there were a million user accounts. That way you also don't need to transfer username/passwords from the database as you can just SELECT 1 and look at the number of rows returned. This makes for cleaner, faster, and more secure code.