| Title | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 SQLi |
|---|
| Description | SQLI-01 (pqms/php/api_patient_schedule.php → appointmentID (GET))
Title: SQL Injection via appointmentID in Appointment Lookup
What is the vulnerability?
The application contains a SQL Injection vulnerability in the appointment lookup functionality implemented in pqms/php/api_patient_schedule.php. The endpoint accepts a user-supplied appointmentID parameter via the HTTP GET method and passes it directly into a SQL query using string concatenation without input sanitization or prepared statements.
The vulnerable SQL logic resembles:
WHERE a.reference_number = '$reference_number'
Because appointmentID is attacker-controlled, an attacker can inject arbitrary SQL logic into the query.
Proof of Concept:
curl "http://localhost/pqms/php/api_patient_schedule.php?appointmentID=APT001' OR '1'='1' -- -" |
|---|
| User | bobsux (UID 94358) |
|---|
| Submission | 01/09/2026 08:08 PM (1 month ago) |
|---|
| Moderation | 01/18/2026 02:46 PM (9 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 332582 [SourceCodester Patients Waiting Area Queue Management System 1.0 api_patient_schedule.php appointmentID sql injection] |
|---|
| Points | 0 |
|---|