How can I bypass my login script?

Question

I've created a below script, which is intentionally not secure, in order to learn a bit more about cyber security.

session_start();

if($_SESSION['userSession']) {
    header("location: home.php");
}


if($_POST) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $con = mysqli_connect("localhost", "myUsername", "myPassword", "myDatabase");
    if(!$con) {
        die("Error: " . mysqli_connect_error());
    }

    $query = "SELECT * FROM users WHERE username = '$username' && password='$password'";
    $result = mysqli_query($con, $query);
    $numResults = mysqli_num_rows($result);

    if($numResults == 1) {
        $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
        $_SESSION['userSession'] = $row['id'];
        header("location: home.php");
    } else {
        echo "Error Logging In";
    }
    mysqli_close($con);
}

As you can see, I have not escaped the user input and the password has not been hashed. Therefore, I am presuming that this should be an easily hackable login. However, I have attempted to use the below input in both of the username and password fields, but always get the output "Error Logging In".

password' OR '1' = '1'";

How can I try to bypass/hack my login script?

Answer 1

如果我们直接使用 sql 语句来获取用户名和密码字段，那么它可以通过' OR '1' = '1模式绕过，因为当你在用户名和密码字段中放置' OR '1' = '1时，值会继续sql 语句，并且在该语句中' or '1' = '1在所有情况下都是正确的，这就是登录可以绕过的原因。