Source: members (security level: low)
Flip the security level in the header to compare the vulnerable and fixed code paths.
<?php // LOW: the raw 'user' input is used directly as the query filter. Because PHP turns user[$ne]=x into
// an array, an attacker injects MongoDB query operators (NoSQL injection):
// ?user[$ne]=zzz -> {name:{$ne:'zzz'}} matches EVERY member, incl the hidden svc-loyalty token
// ?user[$regex]=^sv -> {name:{$regex:'^sv'}} blind, prefix/character extraction
// ?user=ada -> benign exact-name lookup
foreach ($MEMBERS as $m) {
if (mongo_match($m['name'], $u)) { $results[] = $m; }
}