Submit #699245: code-projects Employee Profile Management System published November 15, 2025 SQL Injectioninfo

Titelcode-projects Employee Profile Management System published November 15, 2025 SQL Injection
BeschreibungSummary The vulnerability exists in multiple personnel-related components due to improper handling of user input. Several endpoints directly concatenate user-controlled parameters (per_id, dept_id, term, etc.) into SQL statements, allowing attackers to inject arbitrary SQL queries. Root Cause The application builds SQL strings using unsanitized variables (e.g., $_GET['per_id'], $_GET['term']) before calling PDO::prepare(). Because the SQL already contains attacker-controlled fragments before preparation, no parameter binding occurs, resulting in full SQL injection. Example vulnerable pattern found in files such as view_personnel.php, edit_personnel.php, print_personnel_report.php, and delete_department.php: $sql = "SELECT * FROM personnel WHERE per_id = ".$_GET['per_id']; $stmt = $pdo->prepare($sql); $stmt->execute(); Reproduction 1. Navigate to a vulnerable page For example: http://localhost/employee_profile/view_personnel.php?per_id=1 2. Inject SQL payload into the per_id parameter Modify request to: http://localhost/employee_profile/view_personnel.php?per_id=1' OR '1'='1-- 3. Observe returned data The page will display multiple personnel records instead of a single record. (Optional destructive test — local environment only) http://localhost/employee_profile/delete_department.php?dept_id=0 OR 1=1-- This causes a mass-delete operation. Impact This vulnerability allows attackers to: Bypass access control by retrieving all personnel data Read sensitive HR records across departments Modify or delete arbitrary database entries Potentially chain into full system compromise if SQL functions or file writes are permitted Because the vulnerability exists in both view and delete operations, the impact ranges from information disclosure to complete data loss.
Quelle⚠️ https://github.com/shenxianyuguitian/employee-management-SQL
Benutzer
 xuanyuesanshi (UID 88126)
Einreichung21.11.2025 08:22 (vor 5 Monaten)
Moderieren06.12.2025 18:19 (15 days later)
StatusAkzeptiert
VulDB Eintrag334613 [code-projects Employee Profile Management System 1.0 /view_personnel.php per_id SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!