Story

Your team runs a subscription platform with a PHP authentication gateway in front of older internal services. During a migration, a "temporary compatibility path" was left in production for legacy users.

This week, fraud operations noticed account takeovers on high-value admin profiles even though no password reset events occurred.

System Context

The downloaded project includes:

• public/index.php and public/login.php HTTP entry points
• src/auth.php with insecure and secure login flows
• src/db.php with local SQLite bootstrap and seed users

The expected behavior is simple: only users with valid credentials should receive an authenticated response.

Problem

The compatibility login flow mixes user input directly into query text, which allows request data to affect SQL logic instead of being treated strictly as data. This can lead to authentication bypass and unintended account access when crafted input alters the WHERE clause behavior. In parallel, the same path relies on legacy password hashing, which increases impact if credential data is exposed because weak hashes are much easier to crack at scale.

Goal

Find the exact vulnerable line in the project code.