How vulnerable is my code to SQL injection?

Question

Ok I don't want this to be a hacking advice question, so please don't down-vote for that. I work in a web shop and I've found some of our old PHP pages are vulnerable to SQL injection in the username and want to know how bad.

We use a PHP string to embed the user input from the POST on the login form.

$uname = $_POST['username'];
$pass  = md5($_POST['pass']);
$sql = "SELECT * FROM users WHERE username='$uname' AND password='$pass' AND userlevel='user'";
...

then I run the query.

Now, I'm no SQL expert, I just use what I can piece together on phpMyAdmin. But I was able to log in without a username by instead using:

' OR 1 '

I know to escape the user input, I use mysql_real_escape_string.

My question is, how vulnerable is this code, and could someone log into this page and not need the password? I would think maybe they wouldn't need the username, but could only brute force the password. But I'm no SQL guru and am wondering if some tricks could be used against us.

We use MySQL.

And please I don't need any lectures on input validation, I know how bad this is. We should be doing lots of things, like timeouts and lockouts on our page so it can't be brute-forced.

Answer 1

"Could someone log into this page and not need the password": Yes, trivially. Try the username yourfavoriteadmin' OR 1; --.

May as well link this, since certainly somebody will...

Answer 2

It’s very vulnerable. If you know about all the nifty stuff like mysql_real_escape_string why do you waste your time and ask this question? You should be all over that code, fixing it. You know, like, NOW.