Scanning file /home/rab/Downloads/bWAPP/aim.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/aim.php.

Scanning file /home/rab/Downloads/bWAPP/ba_captcha_bypass.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_captcha_bypass.php.

Scanning file /home/rab/Downloads/bWAPP/ba_forgotten.php
In file ba_forgotten.php, line 45, col 17:
$sql = "SELECT * FROM users WHERE email = '" . $email . "'";
 Injectable variable $email. Other ocurrences:
  L31  $email = $_POST["email"];
  L33  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L43  $email = mysqli_real_escape_string($link, $email);
  L43  $email = mysqli_real_escape_string($link, $email);
  L45  $sql = "SELECT * FROM users WHERE email = '" . $email . "'";
  L112 $status = @mail($email, $subject, $content, "From: $sender");
  L161 $email_enc = urlencode($email);
  L161 $email_enc = urlencode($email);
  L164 $content.= "Click the link to reset and change your secret: http://" . $server . "/bWAPP/secret_change.php?email=" . $email_enc . "&reset_code=" . $reset_code . "\n\n";
  L167 $status = @mail($email, $subject, $content, "From: $sender");
  L183 $sql = "UPDATE users SET reset_code = '" . $reset_code . "' WHERE email = '" . $email . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/ba_forgotten.php.

Scanning file /home/rab/Downloads/bWAPP/ba_insecure_login.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_insecure_login.php.

Scanning file /home/rab/Downloads/bWAPP/ba_insecure_login_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_insecure_login_1.php.

Scanning file /home/rab/Downloads/bWAPP/ba_insecure_login_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_insecure_login_2.php.

Scanning file /home/rab/Downloads/bWAPP/ba_insecure_login_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_insecure_login_3.php.

Scanning file /home/rab/Downloads/bWAPP/ba_logout.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_logout.php.

Scanning file /home/rab/Downloads/bWAPP/ba_logout_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_logout_1.php.

Scanning file /home/rab/Downloads/bWAPP/ba_pwd_attacks.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_pwd_attacks.php.

Scanning file /home/rab/Downloads/bWAPP/ba_pwd_attacks_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_pwd_attacks_1.php.

Scanning file /home/rab/Downloads/bWAPP/ba_pwd_attacks_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_pwd_attacks_2.php.

Scanning file /home/rab/Downloads/bWAPP/ba_pwd_attacks_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_pwd_attacks_3.php.

Scanning file /home/rab/Downloads/bWAPP/ba_pwd_attacks_4.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_pwd_attacks_4.php.

Scanning file /home/rab/Downloads/bWAPP/ba_weak_pwd.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ba_weak_pwd.php.

Scanning file /home/rab/Downloads/bWAPP/backdoor.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/backdoor.php.

Scanning file /home/rab/Downloads/bWAPP/bof_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/bof_1.php.

Scanning file /home/rab/Downloads/bWAPP/bof_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/bof_2.php.

Scanning file /home/rab/Downloads/bWAPP/captcha.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/captcha.php.

Scanning file /home/rab/Downloads/bWAPP/captcha_box.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/captcha_box.php.

Scanning file /home/rab/Downloads/bWAPP/clickjacking.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/clickjacking.php.

Scanning file /home/rab/Downloads/bWAPP/commandi.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/commandi.php.

Scanning file /home/rab/Downloads/bWAPP/commandi_blind.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/commandi_blind.php.

Scanning file /home/rab/Downloads/bWAPP/config.inc.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/config.inc.php.

Scanning file /home/rab/Downloads/bWAPP/connect.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/connect.php.

Scanning file /home/rab/Downloads/bWAPP/connect_i.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/connect_i.php.

Scanning file /home/rab/Downloads/bWAPP/credits.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/credits.php.

Scanning file /home/rab/Downloads/bWAPP/cs_validation.php
In file cs_validation.php, line 102, col 17:
$sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
 Injectable variable $login. Other ocurrences:
  L93  $login = $_SESSION["login"];
  L102 $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
  L129 $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
queries here:1
 Injectable variable $password_curr. Other ocurrences:
  L98  $password_curr = $_REQUEST["password_curr"];
  L99  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L99  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L100 $password_curr = hash("sha1", $password_curr, false);
  L100 $password_curr = hash("sha1", $password_curr, false);
  L102 $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/cs_validation.php.

Scanning file /home/rab/Downloads/bWAPP/csrf_1.php
In file csrf_1.php, line 88, col 29:
$sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
 Injectable variable $login. Other ocurrences:
  L52  $login = $_SESSION["login"];
  L60  $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
  L88  $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
  L115 $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
queries here:1
 Injectable variable $password_curr. Other ocurrences:
  L84  $password_curr = $_REQUEST["password_curr"];
  L85  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L85  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L86  $password_curr = hash("sha1", $password_curr, false);
  L86  $password_curr = hash("sha1", $password_curr, false);
  L88  $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/csrf_1.php.

Scanning file /home/rab/Downloads/bWAPP/csrf_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/csrf_2.php.

Scanning file /home/rab/Downloads/bWAPP/csrf_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/csrf_3.php.

Scanning file /home/rab/Downloads/bWAPP/directory_traversal_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/directory_traversal_1.php.

Scanning file /home/rab/Downloads/bWAPP/directory_traversal_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/directory_traversal_2.php.

Scanning file /home/rab/Downloads/bWAPP/functions_external.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/functions_external.php.

Scanning file /home/rab/Downloads/bWAPP/heartbleed.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/heartbleed.php.

Scanning file /home/rab/Downloads/bWAPP/hostheader_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/hostheader_1.php.

Scanning file /home/rab/Downloads/bWAPP/hostheader_2.php
In file hostheader_2.php, line 45, col 17:
$sql = "SELECT * FROM users WHERE email = '" . $email . "'";
 Injectable variable $email. Other ocurrences:
  L31  $email = $_POST["email"];
  L33  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L43  $email = mysqli_real_escape_string($link, $email);
  L43  $email = mysqli_real_escape_string($link, $email);
  L45  $sql = "SELECT * FROM users WHERE email = '" . $email . "'";
  L113 $email_enc = urlencode($email);
  L113 $email_enc = urlencode($email);
  L116 $content.= "Click the link to reset and change your secret: http://" . $server . "/bWAPP/secret_change.php?email=" . $email_enc . "&reset_code=" . $reset_code . "\n\n";
  L119 $status = @mail($email, $subject, $content, "From: $sender");
  L135 $sql = "UPDATE users SET reset_code = '" . $reset_code . "' WHERE email = '" . $email . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/hostheader_2.php.

Scanning file /home/rab/Downloads/bWAPP/hpp-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/hpp-1.php.

Scanning file /home/rab/Downloads/bWAPP/hpp-2.php
In file hpp-2.php, line 147, col 13:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/hpp-2.php.

Scanning file /home/rab/Downloads/bWAPP/hpp-3.php
In file hpp-3.php, line 47, col 17:
$sql = "SELECT * FROM movies WHERE id = '" . sqli_check_2($movie) . "'";
 Injectable variable $movie. Other ocurrences:
  L45  $movie = $_REQUEST["movie"];
  L47  $sql = "SELECT * FROM movies WHERE id = '" . sqli_check_2($movie) . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/hpp-3.php.

Scanning file /home/rab/Downloads/bWAPP/htmli_current_url.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/htmli_current_url.php.

Scanning file /home/rab/Downloads/bWAPP/htmli_get.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/htmli_get.php.

Scanning file /home/rab/Downloads/bWAPP/htmli_post.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/htmli_post.php.

Scanning file /home/rab/Downloads/bWAPP/htmli_stored.php
In file htmli_stored.php, line 81, col 16:
$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
 Injectable variable $entry. Other ocurrences:
  L25  $entry = "";
  L68  $entry = htmli($_POST["entry"]);
  L71  if($entry == "")
  L81  $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
  L248 $entry_all = isset($_POST["entry_all"]) ? 1 : 0;
  L250 if($entry_all == false)
queries here:1
 Injectable variable $owner. Other ocurrences:
  L26  $owner = "";
  L69  $owner = $_SESSION["login"];
  L81  $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
queries here:2
In file htmli_stored.php, line 253, col 31:
$sql = "SELECT * FROM blog WHERE owner = '" . $_SESSION["login"] . "'";
 No dangerous concatenations in this query.
In file htmli_stored.php, line 264, col 4:
$recordset = $link->query($sql);
 No dangerous concatenations in this query.
Found 2 SQL injections in /home/rab/Downloads/bWAPP/htmli_stored.php.

Scanning file /home/rab/Downloads/bWAPP/http_response_splitting.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/http_response_splitting.php.

Scanning file /home/rab/Downloads/bWAPP/http_verb_tampering.php
In file http_verb_tampering.php, line 61, col 25:
$sql = "SELECT password FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L56  $login = $_SESSION["login"];
  L61  $sql = "SELECT password FROM users WHERE login = '" . $login . "'";
  L77  $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
  L137 $login = $_SESSION["login"];
  L142 $sql = "SELECT password FROM users WHERE login = '" . $login . "'";
  L158 $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
queries here:1
In file http_verb_tampering.php, line 142, col 25:
$sql = "SELECT password FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L56  $login = $_SESSION["login"];
  L61  $sql = "SELECT password FROM users WHERE login = '" . $login . "'";
  L77  $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
  L137 $login = $_SESSION["login"];
  L142 $sql = "SELECT password FROM users WHERE login = '" . $login . "'";
  L158 $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/http_verb_tampering.php.

Scanning file /home/rab/Downloads/bWAPP/iframei.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/iframei.php.

Scanning file /home/rab/Downloads/bWAPP/index.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/index.php.

Scanning file /home/rab/Downloads/bWAPP/info.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/info.php.

Scanning file /home/rab/Downloads/bWAPP/info_install.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/info_install.php.

Scanning file /home/rab/Downloads/bWAPP/information_disclosure_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/information_disclosure_1.php.

Scanning file /home/rab/Downloads/bWAPP/information_disclosure_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/information_disclosure_2.php.

Scanning file /home/rab/Downloads/bWAPP/information_disclosure_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/information_disclosure_3.php.

Scanning file /home/rab/Downloads/bWAPP/information_disclosure_4.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/information_disclosure_4.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_crypt_storage_1.php
In file insecure_crypt_storage_1.php, line 27, col 9:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L25  $login = $_SESSION["login"];
  L27  $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/insecure_crypt_storage_1.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_crypt_storage_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insecure_crypt_storage_2.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_crypt_storage_3.php
In file insecure_crypt_storage_3.php, line 27, col 9:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L25  $login = $_SESSION["login"];
  L27  $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/insecure_crypt_storage_3.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_direct_object_ref_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insecure_direct_object_ref_1.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_direct_object_ref_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insecure_direct_object_ref_2.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_direct_object_ref_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insecure_direct_object_ref_3.php.

Scanning file /home/rab/Downloads/bWAPP/insecure_iframe.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insecure_iframe.php.

Scanning file /home/rab/Downloads/bWAPP/install.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/install.php.

Scanning file /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_1.php.

Scanning file /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_2.php.

Scanning file /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_3.php.

Scanning file /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_4.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/insuff_transp_layer_protect_4.php.

Scanning file /home/rab/Downloads/bWAPP/lang_en.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/lang_en.php.

Scanning file /home/rab/Downloads/bWAPP/lang_fr.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/lang_fr.php.

Scanning file /home/rab/Downloads/bWAPP/lang_nl.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/lang_nl.php.

Scanning file /home/rab/Downloads/bWAPP/ldap_connect.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ldap_connect.php.

Scanning file /home/rab/Downloads/bWAPP/ldapi.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ldapi.php.

Scanning file /home/rab/Downloads/bWAPP/lfi_sqlitemanager.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/lfi_sqlitemanager.php.

Scanning file /home/rab/Downloads/bWAPP/login.php
In file login.php, line 36, col 13:
$sql = "SELECT * FROM users WHERE login = '" . $login;
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/login.php.

Scanning file /home/rab/Downloads/bWAPP/logout.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/logout.php.

Scanning file /home/rab/Downloads/bWAPP/maili.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/maili.php.

Scanning file /home/rab/Downloads/bWAPP/manual_interv.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/manual_interv.php.

Scanning file /home/rab/Downloads/bWAPP/password_change.php
In file password_change.php, line 61, col 21:
$sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
 Injectable variable $login. Other ocurrences:
  L52  $login = $_SESSION["login"];
  L61  $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
  L88  $sql = "UPDATE users SET password = '" . $password_new . "' WHERE login = '" . $login . "'";
queries here:1
 Injectable variable $password_curr. Other ocurrences:
  L57  $password_curr = $_REQUEST["password_curr"];
  L58  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L58  $password_curr = mysqli_real_escape_string($link, $password_curr);
  L59  $password_curr = hash("sha1", $password_curr, false);
  L59  $password_curr = hash("sha1", $password_curr, false);
  L61  $sql = "SELECT password FROM users WHERE login = '" . $login . "' AND password = '" . $password_curr . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/password_change.php.

Scanning file /home/rab/Downloads/bWAPP/php_cgi.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/php_cgi.php.

Scanning file /home/rab/Downloads/bWAPP/php_eval.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/php_eval.php.

Scanning file /home/rab/Downloads/bWAPP/phpi.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/phpi.php.

Scanning file /home/rab/Downloads/bWAPP/phpi_sqlitemanager.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/phpi_sqlitemanager.php.

Scanning file /home/rab/Downloads/bWAPP/phpinfo.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/phpinfo.php.

Scanning file /home/rab/Downloads/bWAPP/portal.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/portal.php.

Scanning file /home/rab/Downloads/bWAPP/reset.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/reset.php.

Scanning file /home/rab/Downloads/bWAPP/restrict_device_access.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/restrict_device_access.php.

Scanning file /home/rab/Downloads/bWAPP/restrict_folder_access.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/restrict_folder_access.php.

Scanning file /home/rab/Downloads/bWAPP/rlfi.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/rlfi.php.

Scanning file /home/rab/Downloads/bWAPP/secret-cors-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/secret-cors-1.php.

Scanning file /home/rab/Downloads/bWAPP/secret-cors-2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/secret-cors-2.php.

Scanning file /home/rab/Downloads/bWAPP/secret-cors-3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/secret-cors-3.php.

Scanning file /home/rab/Downloads/bWAPP/secret.php
In file secret.php, line 25, col 9:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L23  $login = $_SESSION["login"];
  L25  $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/secret.php.

Scanning file /home/rab/Downloads/bWAPP/secret_change.php
In file secret_change.php, line 35, col 13:
$sql = "SELECT * FROM users WHERE email = '" . $email . "' AND BINARY reset_code = '" . $reset_code . "'";
 Injectable variable $email. Other ocurrences:
  L29  $email = $_POST["email"];
  L30  $email = mysqli_real_escape_string($link, $email);
  L30  $email = mysqli_real_escape_string($link, $email);
  L35  $sql = "SELECT * FROM users WHERE email = '" . $email . "' AND BINARY reset_code = '" . $reset_code . "'";
  L66  $sql = "UPDATE users SET reset_code = NULL, secret = '" . $secret . "' WHERE email = '" . $email . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/secret_change.php.

Scanning file /home/rab/Downloads/bWAPP/secret_html.php
In file secret_html.php, line 28, col 9:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L26  $login = $_SESSION["login"];
  L28  $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/secret_html.php.

Scanning file /home/rab/Downloads/bWAPP/security.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/security.php.

Scanning file /home/rab/Downloads/bWAPP/security_level_check.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/security_level_check.php.

Scanning file /home/rab/Downloads/bWAPP/security_level_set.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/security_level_set.php.

Scanning file /home/rab/Downloads/bWAPP/selections.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/selections.php.

Scanning file /home/rab/Downloads/bWAPP/shellshock.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/shellshock.php.

Scanning file /home/rab/Downloads/bWAPP/sm_cors.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_cors.php.

Scanning file /home/rab/Downloads/bWAPP/sm_cross_domain_policy.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_cross_domain_policy.php.

Scanning file /home/rab/Downloads/bWAPP/sm_dos_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_dos_1.php.

Scanning file /home/rab/Downloads/bWAPP/sm_dos_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_dos_2.php.

Scanning file /home/rab/Downloads/bWAPP/sm_dos_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_dos_3.php.

Scanning file /home/rab/Downloads/bWAPP/sm_dos_4.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_dos_4.php.

Scanning file /home/rab/Downloads/bWAPP/sm_ftp.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_ftp.php.

Scanning file /home/rab/Downloads/bWAPP/sm_local_priv_esc_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_local_priv_esc_1.php.

Scanning file /home/rab/Downloads/bWAPP/sm_local_priv_esc_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_local_priv_esc_2.php.

Scanning file /home/rab/Downloads/bWAPP/sm_mitm_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_mitm_1.php.

Scanning file /home/rab/Downloads/bWAPP/sm_mitm_2.php
In file sm_mitm_2.php, line 43, col 13:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L38  $login = $_SESSION["login"];
  L41  // echo $login;
  L43  $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
  L85  $content = "Hello " . ucwords($login) . ",\n\n";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sm_mitm_2.php.

Scanning file /home/rab/Downloads/bWAPP/sm_obu_files.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_obu_files.php.

Scanning file /home/rab/Downloads/bWAPP/sm_robots.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_robots.php.

Scanning file /home/rab/Downloads/bWAPP/sm_samba.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_samba.php.

Scanning file /home/rab/Downloads/bWAPP/sm_snmp.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_snmp.php.

Scanning file /home/rab/Downloads/bWAPP/sm_webdav.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_webdav.php.

Scanning file /home/rab/Downloads/bWAPP/sm_xst.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sm_xst.php.

Scanning file /home/rab/Downloads/bWAPP/smgmt_admin_portal.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/smgmt_admin_portal.php.

Scanning file /home/rab/Downloads/bWAPP/smgmt_cookies_httponly.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/smgmt_cookies_httponly.php.

Scanning file /home/rab/Downloads/bWAPP/smgmt_cookies_secure.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/smgmt_cookies_secure.php.

Scanning file /home/rab/Downloads/bWAPP/smgmt_sessionid_url.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/smgmt_sessionid_url.php.

Scanning file /home/rab/Downloads/bWAPP/smgmt_strong_sessions.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/smgmt_strong_sessions.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_1.php
In file sqli_1.php, line 143, col 13:
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
 Injectable variable $title. Other ocurrences:
  L141 $title = $_GET["title"];
  L143 $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_1.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_10-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_10-1.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_10-2.php
In file sqli_10-2.php, line 64, col 13:
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
 Injectable variable $title. Other ocurrences:
  L61  $title = $_GET["title"];
  L64  $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_10-2.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_11.php
In file sqli_11.php, line 153, col 13:
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
 Injectable variable $title. Other ocurrences:
  L149 $title = $_GET["title"];
  L153 $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_11.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_12.php
In file sqli_12.php, line 219, col 19:
// die("Error: " . $link->connect_error . "<br /><br />");
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_12.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_13-ps.php
In file sqli_13-ps.php, line 35, col 9:
$sql = "select * from movies";
 No dangerous concatenations in this query.
In file sqli_13-ps.php, line 142, col 13:
$sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_13-ps.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_13.php
In file sqli_13.php, line 35, col 9:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
In file sqli_13.php, line 167, col 13:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_13.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_14.php
In file sqli_14.php, line 138, col 17:
$sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "' COLLATE NOCASE";
 Injectable variable $title. Other ocurrences:
  L134 $title = $_REQUEST["title"];
  L138 $sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "' COLLATE NOCASE";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_14.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_15.php
In file sqli_15.php, line 65, col 13:
$sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "'";
 Injectable variable $title. Other ocurrences:
  L63  $title = $_REQUEST["title"];
  L65  $sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "'";
queries here:1
In file sqli_15.php, line 78, col 17:
$sql = "SELECT email FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L76  $login = $_SESSION["login"];
  L78  $sql = "SELECT email FROM users WHERE login = '" . $login . "'";
  L97  $content = "Hello " . ucwords($login) . ",\n\n";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/sqli_15.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_16.php
In file sqli_16.php, line 144, col 17:
$sql = "SELECT * FROM users WHERE login = '" . $login . "'";
 Injectable variable $login. Other ocurrences:
  L137 $login = $_POST["login"];
  L138 $login = sqli($login);
  L138 $login = sqli($login);
  L144 $sql = "SELECT * FROM users WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_16.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_17.php
In file sqli_17.php, line 95, col 8:
$sql = "INSERT INTO visitors (date, user_agent, ip_address) VALUES (now(), '" . sqli($user_agent) . "', '" . $ip_address . "')";
 Injectable variable $user_agent. Other ocurrences:
  L92  $user_agent = $_SERVER["HTTP_USER_AGENT"];
  L95  $sql = "INSERT INTO visitors (date, user_agent, ip_address) VALUES (now(), '" . sqli($user_agent) . "', '" . $ip_address . "')";
  L107 $line = "'" . date("y/m/d G.i:s", time()) . "', '" . $ip_address . "', '" . xss($user_agent) . "'" . "\r\n";
queries here:1
 Injectable variable $ip_address. Other ocurrences:
  L91  $ip_address = $_SERVER["REMOTE_ADDR"];
  L95  $sql = "INSERT INTO visitors (date, user_agent, ip_address) VALUES (now(), '" . sqli($user_agent) . "', '" . $ip_address . "')";
  L107 $line = "'" . date("y/m/d G.i:s", time()) . "', '" . $ip_address . "', '" . xss($user_agent) . "'" . "\r\n";
queries here:2
In file sqli_17.php, line 114, col 9:
$sql = "SELECT * FROM visitors ORDER by id DESC LIMIT 3";
 No dangerous concatenations in this query.
Found 2 SQL injections in /home/rab/Downloads/bWAPP/sqli_17.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_2-ps.php
In file sqli_2-ps.php, line 35, col 9:
$sql = "select * from movies";
 No dangerous concatenations in this query.
In file sqli_2-ps.php, line 142, col 13:
$sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_2-ps.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_2.php
In file sqli_2.php, line 35, col 9:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
In file sqli_2.php, line 167, col 13:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_2.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_3.php
In file sqli_3.php, line 140, col 17:
$sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
 Injectable variable $login. Other ocurrences:
  L134 $login = $_POST["login"];
  L135 $login = sqli($login);
  L135 $login = sqli($login);
  L140 $sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
queries here:1
 Injectable variable $password. Other ocurrences:
  L137 $password = $_POST["password"];
  L138 $password = sqli($password);
  L138 $password = sqli($password);
  L140 $sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/sqli_3.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_4.php
In file sqli_4.php, line 131, col 17:
$sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "'";
 Injectable variable $title. Other ocurrences:
  L129 $title = $_REQUEST["title"];
  L131 $sql = "SELECT * FROM movies WHERE title = '" . sqli($title) . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_4.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_5.php
In file sqli_5.php, line 121, col 21:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_5.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_6.php
In file sqli_6.php, line 143, col 13:
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
 Injectable variable $title. Other ocurrences:
  L141 $title = $_POST["title"];
  L143 $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_6.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_7.php
In file sqli_7.php, line 143, col 24:
$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
 Injectable variable $entry. Other ocurrences:
  L25  $entry = "";
  L130 $entry = sqli($_POST["entry"]);
  L133 if($entry == "")
  L143 $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
queries here:1
 Injectable variable $owner. Other ocurrences:
  L26  $owner = "";
  L131 $owner = $_SESSION["login"];
  L143 $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
queries here:2
In file sqli_7.php, line 185, col 9:
$sql = "SELECT * FROM blog";
 No dangerous concatenations in this query.
Found 2 SQL injections in /home/rab/Downloads/bWAPP/sqli_7.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_8-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_8-1.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_8-2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_8-2.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_9.php
In file sqli_9.php, line 181, col 13:
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
 Injectable variable $title. Other ocurrences:
  L179 $title = $_GET["title"];
  L181 $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/sqli_9.php.

Scanning file /home/rab/Downloads/bWAPP/sqli_drupal.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/sqli_drupal.php.

Scanning file /home/rab/Downloads/bWAPP/ssii.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ssii.php.

Scanning file /home/rab/Downloads/bWAPP/ssrf.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/ssrf.php.

Scanning file /home/rab/Downloads/bWAPP/test.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/test.php.

Scanning file /home/rab/Downloads/bWAPP/top_security.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/top_security.php.

Scanning file /home/rab/Downloads/bWAPP/training.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/training.php.

Scanning file /home/rab/Downloads/bWAPP/training_install.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/training_install.php.

Scanning file /home/rab/Downloads/bWAPP/unrestricted_file_upload.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/unrestricted_file_upload.php.

Scanning file /home/rab/Downloads/bWAPP/unvalidated_redir_fwd_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/unvalidated_redir_fwd_1.php.

Scanning file /home/rab/Downloads/bWAPP/unvalidated_redir_fwd_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/unvalidated_redir_fwd_2.php.

Scanning file /home/rab/Downloads/bWAPP/update.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/update.php.

Scanning file /home/rab/Downloads/bWAPP/user_activation.php
In file user_activation.php, line 32, col 13:
$sql = "SELECT * FROM users WHERE login = '" . $login . "' AND BINARY activation_code = '" . $activation_code . "'";
 Injectable variable $login. Other ocurrences:
  L26  $login = $_GET["user"];
  L27  $login = mysqli_real_escape_string($link, $login);
  L27  $login = mysqli_real_escape_string($link, $login);
  L32  $sql = "SELECT * FROM users WHERE login = '" . $login . "' AND BINARY activation_code = '" . $activation_code . "'";
  L59  $sql = "UPDATE users SET activation_code = NULL, activated = 1 WHERE login = '" . $login . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/user_activation.php.

Scanning file /home/rab/Downloads/bWAPP/user_extra.php
In file user_extra.php, line 109, col 29:
$sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
 Injectable variable $login. Other ocurrences:
  L31  $login = $_REQUEST["login"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L66  if(preg_match("/^[a-z\d_]{2,20}$/i", $login) == false)
  L97  $login = mysqli_real_escape_string($link, $login);
  L97  $login = mysqli_real_escape_string($link, $login);
  L98  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L98  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L109 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L187 $content = "Welcome " . ucwords($login) . ",\n\n";
  L188 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:1
 Injectable variable $email. Other ocurrences:
  L34  $email = $_REQUEST["email"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L76  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L103 $email = mysqli_real_escape_string($link, $email);
  L103 $email = mysqli_real_escape_string($link, $email);
  L104 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L104 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L109 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L191 $status = @mail($email, $subject, $content, "From: $sender");
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:2
In file user_extra.php, line 207, col 40:
$sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
 Injectable variable $login. Other ocurrences:
  L31  $login = $_REQUEST["login"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L66  if(preg_match("/^[a-z\d_]{2,20}$/i", $login) == false)
  L97  $login = mysqli_real_escape_string($link, $login);
  L97  $login = mysqli_real_escape_string($link, $login);
  L98  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L98  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L109 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L187 $content = "Welcome " . ucwords($login) . ",\n\n";
  L188 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:3
 Injectable variable $password. Other ocurrences:
  L32  $password = $_REQUEST["password"];
  L33  $password_conf = $_REQUEST["password_conf"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L86  if($password != $password_conf)
  L86  if($password != $password_conf)
  L100 $password = mysqli_real_escape_string($link, $password);
  L100 $password = mysqli_real_escape_string($link, $password);
  L101 $password = hash("sha1", $password, false);
  L101 $password = hash("sha1", $password, false);
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:4
 Injectable variable $email. Other ocurrences:
  L34  $email = $_REQUEST["email"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L76  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L103 $email = mysqli_real_escape_string($link, $email);
  L103 $email = mysqli_real_escape_string($link, $email);
  L104 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L104 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L109 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L191 $status = @mail($email, $subject, $content, "From: $sender");
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:5
 Injectable variable $secret. Other ocurrences:
  L35  $secret = $_REQUEST["secret"];
  L38  if($login == "" or $email == "" or $password == "" or $secret == "")
  L106 $secret = mysqli_real_escape_string($link, $secret);
  L106 $secret = mysqli_real_escape_string($link, $secret);
  L107 $secret = htmlspecialchars($secret, ENT_QUOTES, "UTF-8");
  L107 $secret = htmlspecialchars($secret, ENT_QUOTES, "UTF-8");
  L140 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:6
 Injectable variable $activation_code. Other ocurrences:
  L166 $activation_code = random_string();
  L167 $activation_code = hash("sha1", $activation_code, false);
  L167 $activation_code = hash("sha1", $activation_code, false);
  L170 // echo $activation_code;
  L188 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L207 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:7
Found 7 SQL injections in /home/rab/Downloads/bWAPP/user_extra.php.

Scanning file /home/rab/Downloads/bWAPP/user_new.php
In file user_new.php, line 106, col 29:
$sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
 Injectable variable $login. Other ocurrences:
  L28  $login = $_REQUEST["login"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L63  if(preg_match("/^[a-z\d_]{2,20}$/i", $login) == false)
  L94  $login = mysqli_real_escape_string($link, $login);
  L94  $login = mysqli_real_escape_string($link, $login);
  L95  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L95  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L106 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L184 $content = "Welcome " . ucwords($login) . ",\n\n";
  L185 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:1
 Injectable variable $email. Other ocurrences:
  L31  $email = $_REQUEST["email"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L73  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L100 $email = mysqli_real_escape_string($link, $email);
  L100 $email = mysqli_real_escape_string($link, $email);
  L101 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L101 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L106 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L188 $status = @mail($email, $subject, $content, "From: $sender");
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:2
In file user_new.php, line 204, col 40:
$sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
 Injectable variable $login. Other ocurrences:
  L28  $login = $_REQUEST["login"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L63  if(preg_match("/^[a-z\d_]{2,20}$/i", $login) == false)
  L94  $login = mysqli_real_escape_string($link, $login);
  L94  $login = mysqli_real_escape_string($link, $login);
  L95  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L95  $login = htmlspecialchars($login, ENT_QUOTES, "UTF-8");
  L106 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L184 $content = "Welcome " . ucwords($login) . ",\n\n";
  L185 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:3
 Injectable variable $password. Other ocurrences:
  L29  $password = $_REQUEST["password"];
  L30  $password_conf = $_REQUEST["password_conf"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L83  if($password != $password_conf)
  L83  if($password != $password_conf)
  L97  $password = mysqli_real_escape_string($link, $password);
  L97  $password = mysqli_real_escape_string($link, $password);
  L98  $password = hash("sha1", $password, false);
  L98  $password = hash("sha1", $password, false);
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:4
 Injectable variable $email. Other ocurrences:
  L31  $email = $_REQUEST["email"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L73  if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  L100 $email = mysqli_real_escape_string($link, $email);
  L100 $email = mysqli_real_escape_string($link, $email);
  L101 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L101 $email = htmlspecialchars($email, ENT_QUOTES, "UTF-8");
  L106 $sql = "SELECT * FROM users WHERE login = '" . $login . "' OR email = '" . $email . "'";
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L188 $status = @mail($email, $subject, $content, "From: $sender");
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:5
 Injectable variable $secret. Other ocurrences:
  L32  $secret = $_REQUEST["secret"];
  L35  if($login == "" or $email == "" or $password == "" or $secret == "")
  L103 $secret = mysqli_real_escape_string($link, $secret);
  L103 $secret = mysqli_real_escape_string($link, $secret);
  L104 $secret = htmlspecialchars($secret, ENT_QUOTES, "UTF-8");
  L104 $secret = htmlspecialchars($secret, ENT_QUOTES, "UTF-8");
  L137 $sql = "INSERT INTO users (login, password, email, secret, activated) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "',1)";
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:6
 Injectable variable $activation_code. Other ocurrences:
  L163 $activation_code = random_string();
  L164 $activation_code = hash("sha1", $activation_code, false);
  L164 $activation_code = hash("sha1", $activation_code, false);
  L167 // echo $activation_code;
  L185 $content.= "Click the link to activate your new user:\n\nhttp://" . $server . "/bWAPP/user_activation.php?user=" . $login . "&activation_code=" . $activation_code . "\n\n";
  L204 $sql = "INSERT INTO users (login, password, email, secret, activation_code) VALUES ('" . $login . "','" . $password . "','" . $email .  "','" . $secret . "','" . $activation_code . "')";
queries here:7
Found 7 SQL injections in /home/rab/Downloads/bWAPP/user_new.php.

Scanning file /home/rab/Downloads/bWAPP/ws_soap.php
In file ws_soap.php, line 8, col 24:
$sql = "SELECT tickets_stock FROM movies WHERE title = '" . $title . "'";
 Injectable variable $title. Other ocurrences:
  L4   function get_tickets_stock($title)
  L9   $recordset = mysql_query($sql, $link);
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/ws_soap.php.

Scanning file /home/rab/Downloads/bWAPP/xmli_1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xmli_1.php.

Scanning file /home/rab/Downloads/bWAPP/xmli_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xmli_2.php.

Scanning file /home/rab/Downloads/bWAPP/xss_ajax_1-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_ajax_1-1.php.

Scanning file /home/rab/Downloads/bWAPP/xss_ajax_1-2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_ajax_1-2.php.

Scanning file /home/rab/Downloads/bWAPP/xss_ajax_2-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_ajax_2-1.php.

Scanning file /home/rab/Downloads/bWAPP/xss_ajax_2-2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_ajax_2-2.php.

Scanning file /home/rab/Downloads/bWAPP/xss_back_button.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_back_button.php.

Scanning file /home/rab/Downloads/bWAPP/xss_custom_header.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_custom_header.php.

Scanning file /home/rab/Downloads/bWAPP/xss_eval.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_eval.php.

Scanning file /home/rab/Downloads/bWAPP/xss_get.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_get.php.

Scanning file /home/rab/Downloads/bWAPP/xss_href-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_href-1.php.

Scanning file /home/rab/Downloads/bWAPP/xss_href-2.php
In file xss_href-2.php, line 147, col 13:
$sql = "SELECT * FROM movies";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_href-2.php.

Scanning file /home/rab/Downloads/bWAPP/xss_href-3.php
In file xss_href-3.php, line 47, col 17:
$sql = "SELECT * FROM movies WHERE id = '" . sqli_check_2($movie) . "'";
 Injectable variable $movie. Other ocurrences:
  L45  $movie = $_REQUEST["movie"];
  L47  $sql = "SELECT * FROM movies WHERE id = '" . sqli_check_2($movie) . "'";
queries here:1
Found 1 SQL injections in /home/rab/Downloads/bWAPP/xss_href-3.php.

Scanning file /home/rab/Downloads/bWAPP/xss_json.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_json.php.

Scanning file /home/rab/Downloads/bWAPP/xss_login.php
In file xss_login.php, line 140, col 17:
$sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
 Injectable variable $login. Other ocurrences:
  L134 $login = $_POST["login"];
  L135 $login = sqli($login);
  L135 $login = sqli($login);
  L140 $sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
queries here:1
 Injectable variable $password. Other ocurrences:
  L137 $password = $_POST["password"];
  L138 $password = sqli($password);
  L138 $password = sqli($password);
  L140 $sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND password = '" . $password . "'";
queries here:2
Found 2 SQL injections in /home/rab/Downloads/bWAPP/xss_login.php.

Scanning file /home/rab/Downloads/bWAPP/xss_php_self.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_php_self.php.

Scanning file /home/rab/Downloads/bWAPP/xss_phpmyadmin.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_phpmyadmin.php.

Scanning file /home/rab/Downloads/bWAPP/xss_post.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_post.php.

Scanning file /home/rab/Downloads/bWAPP/xss_referer.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_referer.php.

Scanning file /home/rab/Downloads/bWAPP/xss_sqlitemanager.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_sqlitemanager.php.

Scanning file /home/rab/Downloads/bWAPP/xss_stored_1.php
In file xss_stored_1.php, line 81, col 16:
$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
 Injectable variable $entry. Other ocurrences:
  L25  $entry = "";
  L68  $entry = xss($_POST["entry"]);
  L71  if($entry == "")
  L81  $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
  L248 $entry_all = isset($_POST["entry_all"]) ? 1 : 0;
  L250 if($entry_all == false)
queries here:1
 Injectable variable $owner. Other ocurrences:
  L26  $owner = "";
  L69  $owner = $_SESSION["login"];
  L81  $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
queries here:2
In file xss_stored_1.php, line 253, col 31:
$sql = "SELECT * FROM blog WHERE owner = '" . $_SESSION["login"] . "'";
 No dangerous concatenations in this query.
In file xss_stored_1.php, line 264, col 4:
$recordset = $link->query($sql);
 No dangerous concatenations in this query.
Found 2 SQL injections in /home/rab/Downloads/bWAPP/xss_stored_1.php.

Scanning file /home/rab/Downloads/bWAPP/xss_stored_2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_stored_2.php.

Scanning file /home/rab/Downloads/bWAPP/xss_stored_3.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_stored_3.php.

Scanning file /home/rab/Downloads/bWAPP/xss_stored_4.php
In file xss_stored_4.php, line 80, col 9:
$sql = "SELECT * FROM visitors ORDER by id DESC LIMIT 3";
 No dangerous concatenations in this query.
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_stored_4.php.

Scanning file /home/rab/Downloads/bWAPP/xss_user_agent.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xss_user_agent.php.

Scanning file /home/rab/Downloads/bWAPP/xxe-1.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xxe-1.php.

Scanning file /home/rab/Downloads/bWAPP/xxe-2.php
Found 0 SQL injections in /home/rab/Downloads/bWAPP/xxe-2.php.

Total SQL injections found: 56