$sql = mysqli_query($koneksi,"SELECT * FROM akun WHERE username = '$Username' ") or die(mysql_error());
if(mysqli_num_rows($sql) == 0)
{
$input_akun="INSERT INTO akun (username, password, level) VALUES ('$Username', '$Password', '$Level');";
(mysqli_query($koneksi, $input_akun));
header('location:akun.php');
}
else
{
echo (" ");
}
?>
After the parameters are accepted, they are directly stored in the database without any filtering
Access http://ip/Admin/akun.php triggers XSS <?php include "../koneksi.php";
$Username = $_POST['Username']; $Password = md5($_POST['Password']); $Level = $_POST['Level'];
$sql = mysqli_query($koneksi,"SELECT * FROM
akunWHERE username = '$Username' ") or die(mysql_error()); if(mysqli_num_rows($sql) == 0) { $input_akun="INSERT INTOakun(username,password,level) VALUES ('$Username', '$Password', '$Level');"; (mysqli_query($koneksi, $input_akun)); header('location:akun.php'); } else { echo (" "); } ?> After the parameters are accepted, they are directly stored in the database without any filtering