Sql injection

After being tested by several people (including Jake) it is apparantly not possable to sql inject my login script. So I have decided to make it public:

$auth = false;
$name = $_REQUEST[Name];
$password = $_REQUEST[Pass];
$dbcnx = @mysql_connect("localhost", "$secret", "$secret2");
mysql_select_db ("$database");
if (! mysql_select_db("$table") ) {
}

$sql =  "SELECT * FROM $table
		WHERE Name = '$name' AND 
		Password = '$password'";
		
$result = mysql_query( $sql, $dbcnx ); 
$num = mysql_num_rows( $result );

 if ( $num != 0 ) { 
  $auth = true;
  }
  
if ( !$auth  ) { 
setcookie('user', '');
setcookie('pass', '');
setcookie('auth', '');
header('Location: index.php');
}
if ( $auth  ) {

$dbcnx = @mysql_connect("localhost", "$secret", "$secret2");
mysql_select_db ("$database");
if (! mysql_select_db("$table") ) {
}

$sql =  "SELECT * FROM $table 
		WHERE Name = '$name' AND 
		Password = '$password'";
		
$result = mysql_query( $sql, $dbcnx ); 
$row = mysql_fetch_array($result);
$points= $row["Points"];
$name2= $row["Name"];
$pass2= $row["Password"];

if (strcmp($name,$name2)==0){
if (strcmp($pass2,$password)==0){

setcookie("user", $name2);
setcookie("pass", $pass2);
setcookie('auth', 'true');
header('Location: index.php');
}
}}
header('Location: index.php');

I know this code is sloppy, infact it is terrible.(sorry bout that) well whats everyones verdict? I think it is possable, but I suck at sql injection.

any ideas would help. I know how to patch it, just would like to do it in a real-world situation, nothing better than my own site!

extra info: the index page displays different content depending on your priveledges.

Lol, always need to distinguish me from the group ;)

It is somewhat vulnerable (Not to SQL injection though).

If it is invalid, you need to redirect the user AND kill the script.

Here is the same thing but cleaned up…

 @mysql_connect('localhost', $secret, $secret2) or
     die('Could not connect to database.');

 @mysql_select_db($table) or
     die('Could not select a database');

 $name = $_REQUEST['Name'];
 $pass = $_REQUEST['Pass'];

 $query = mysql_query("SELECT Points, Name, Password FROM $table
                       WHERE Name=\"$name\" AND Password=\"$password\"");


 $authed = mysql_num_rows($query) ? TRUE : FALSE;

 if( !$authed ) {
     foreach( $_COOKIE as $k => $v )
         setcookie($k, '');

     Header('Location: index.php');

   exit;
 }

 list($points, $name2, $pass2) = mysql_fetch_assoc($query);

 // No need for more checks. . . it's already valid!

?>```

Thank you. You are a legend.

could you please tell me how I could exploit it so I can try it before patching, just to see what it would be like. That is if you can be bothered.

thanks as previously stated you are a legend!

p.s. sorry from setting you apart, but you are no.1 the best hacker here!

shuts eyes to avoid watching the ass kissing

Lol.

Anyway, the page may continue to be parsed if you do not terminate the script (By either the exit or die command).

Example: This is how I hacked HBH before. Their admin panel tried to redirect my browser, but I sent a script with the specified POST data. It parsed the POST data and created a backup of the database and THEN tried to send me to the login page.

WOW thats awsome!

puts head in jumper and hands over ears Damn you and your ass kissing!

That wasn't ass kissing! it really is awsome, I an stil a newb an to be able to do that is pretty kewl if you ask me.

dude, you aren't a noob if you can do that. A noob would be someone who would ask what php stands for. It's a good script. butttt ass kissing.

^