SQL Injection and cross-site scripting are typical security attacks carried out against web applications.

Study the php document given below in Figure 5 and answer the following questions.

Figure 5

$servername = "localhost";

$username = "me";

$password = "!myPa$$";

$dbname = "mydb";

if(isset($_POST["uname"], $_POST["upass"])) {

$conn = new mysqli($servername, $username, $password, $dbname);

if (!$conn->connect_error) {

die("Connection failed: " . $conn->connect_error);

}

$query = "select * from user where uname='$_POST[uname]' AND upass='$_POST[upass]'";

$result = $conn->query($query);

}

?>

Question

a) Explain why the code given in Figure 5 above, is vulnerable to SQL Injection and cross-site scripting attacks.

b) Give an example scenario to demonstrate your analysis in the previous question.

c) Rewrite the Figure 5 code to prevent these types of security attacks.