Old interview tests

test1.php

Problem: Customer complained that he is not able to log in to the system. His credentials:
username: El'Jose
Password: si"ai^#i
When the developer saw the code, he got hearthattack. Why? What is wrong with the code

PS: This was maybe for PHP 5.6, so take that to the account.

<?php 
ini_set('display_errors', 1);
ini_set('register_globals', 1);
error_reporting(E_ALL ^ E_NOTICE);

echo <<<EOD
<html><head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-2" />
<!-- meta http-equiv="content-type" content="text/html; charset=windows-1250" --/>
</head><body>
EOD;
 
mysql_connect('localhost', 'root', '');
mysql_select_db('eShop');
 
$loggedIn = @$_COOKIE['loggedIn'];
$command = $_POST['command'];
 
if ($command == 'login') {
        list($user, $pass) = array($_POST['user'], $_POST['pass']);
        $sql = "SELECT * FROM users WHERE usr='$user' AND pass='$pass'";
        echo "<br />sql: $sql<br />";
        $res = mysql_query($sql);
        $loggedIn = mysql_fetch_array($res);
        if ($loggedIn) {
                echo "You were logged in";
        }
}
 
if (!$loggedIn) {
        if ($command == 'login') {
                echo "Wrong username or password.<br />";
        }
        ?>
        <form method="post">
               <input type="hidden" name="command" value="login" />
               Login: <input type="text" name="user" value="<?=$user ?>"/><br />
               Password: <input type="password" name="pass" /><br />
               <button type="submit">Log in</button>
        </form>
        </body>
        </html>
        <?php
        exit();
}

setcookie('loggedIn', 1, time()+(3600/2));
require('admin.php');