From 5753ca2cee5dfbd07ff125d0d6889742a7ffc997 Mon Sep 17 00:00:00 2001
From: teikakki <dafocabar@gmail.com>
Date: Wed, 28 Nov 2018 14:26:55 +0000
Subject: [PATCH] Disabling emulated parameters

Emulated parameters can be vulnerable to SQL injection.
Take also a look here: https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection
---
 var/www/html/login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/var/www/html/login.php b/var/www/html/login.php
index 7129f93..a9bb009 100644
--- a/var/www/html/login.php
+++ b/var/www/html/login.php
@@ -1,7 +1,7 @@
 <?php
 include('../common.php');
 try{
-	$db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME, DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT]);
+	$db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME, DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT, PDO::ATTR_EMULATE_PREPARES=>false]);	
 }catch(PDOException $e){
 	die('No Connection to MySQL database!');
 }