In the query
"SELECT id_user, login, password FROM ".$this->conf-
>tablePrefix."users WHERE login='".$user."' AND password='".
$password."'"
params aren't escaped, so an SQL inject attack can be performed.
after i installed a local copy, if I use for login (notice the
singlequote and wmpty password)
username : ' OR 1 #
password : ""
the resulting query would be:
SELECT id_user, login, password FROM users WHERE login='' OR 1 # AND
password=''
and i was logged in!!!
the correct query is
"SELECT id_user, login, password FROM ".$this->conf-
>tablePrefix."users WHERE login='". mysql_real_escape_string($user)."'
AND password='".mysql_real_escape_string($password)."'"
version for testing: 0.85