Is this hackable

https://www.hackthis.co.uk/levels/intermediate/2

well, first it should be $POST[“something”], otherwise it’s just an array.
second, you should put three signs of equal, ===, as that also checks the type. Otherwise, I can input 0, so $POST[“something”]=0 and as a result of that, $_POST[“something”]==“Thisismypassword” evaluates to true.

edit: seriously, wtf is wrong with the spacing?

@holographic Oh whoops, I forgot to add the [“x”] thingy.
And I do not really understand what you do with the second part of your post… seems like a major security threat. Can you tell me more?

@elhitch That would only work if you already know the password

http://stackoverflow.com/a/14712815

It only seems to affect when it gets hashed.

@Codex561 If the PHP code is written within the HTML, it’s totally hackable. Also it’s not completely impossible to try and guess the password, especially if the admin uses the same password for multiple services and one of them gets infiltrated by the attacker.

[quote=Holographic]
Otherwise, I can input 0, so $POST[“something”]=0 and as a result of that, $POST[“something”]==“Thisismypassword” evaluates to true.
[/quote]

Pardon?

if($_POST[?'input'?] == 'Something'){  
    echo 'True';  
} else {  
    echo 'False';  
}  

Are you saying that if I send 0 as a value, it would echo ‘True’ or have I misunderstood you?

[quote=Elhitch]
If the PHP code is written within the HTML, it’s totally hackable
[/quote]

And if it’s not? What’s the difference, I’d really like to know. You don’t only refer to form submissions right? Are you trying to say PHP code is not vulnerable when it’s not combined with HTML?

@Keeper Totally not. What I mean is that if it’s integrated within the HTML document itself, it’ll be plainly visible and open to exploits limited only by the imagination of the attacker. Yes, it’s possible to get the PHP file in other ways if it’s in a separate file, but that’s something only a determined person would do, which makes it… Less ‘hackable’.

Okay, that being said I agree with you.

@Keeper yes I was wrong in my message.

I confused it with the PHP declared variables.
If I have
$a='asdf'; if($a==0) //or directly if('asdf'==0) echo "true"; else echo "false";

It will echo true, but it doesn’t work if I send a post request with a param equal to 0

@Keeper a bit off topic but did you get all of the grammar right in your signature or is it just me? Cause I read it twice and still get lost after the 3rd phrase.