| عنوان | Hospital-Management-System-Website web 1 SQL Injection |
|---|
| الوصف | This vulnerability is a SQL injection vulnerability existing in the user deletion interface of the Hospital Management System Website (source code address: https://github.com/nahiduddinahammed/Hospital-Management-System-Website). It is specifically located in line 38 of the file D:\phpstudy_pro\WWW\Hospital-Management-System-Website-master/delete.php.
The cause of the vulnerability is that the user input variable $ai is directly concatenated into the SQL DELETE statement without parameterization (original statement: DELETE FROM dashboard WHERE patient_id ='$ai'). Attackers can construct malicious inputs (e.g., ' OR '1'='1), which will change the final SQL statement to DELETE FROM dashboard WHERE patient_id ='' OR '1'='1', thereby deleting all user data in the dashboard table. |
|---|
| المصدر | ⚠️ https://github.com/mhszed/Report/blob/main/SQL%20Injection%20Vulnerability%20in%20the%20Hospital-Management-System-Website%20Editor.docx |
|---|
| المستخدم | mahushuai (UID 91047) |
|---|
| ارسال | 27/09/2025 02:55 PM (7 أشهر منذ) |
|---|
| الاعتدال | 05/10/2025 08:10 AM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 327200 [nahiduddinahammed Hospital-Management-System-Website حتى e6562429e14b2f88bd2139cae16e87b965024097 /delete.php ai حقن SQL] |
|---|
| النقاط | 20 |
|---|