Submit #836629: imvks786 student_management_system 1.0 SQL Injectioninfo

Titelimvks786 student_management_system 1.0 SQL Injection
BeschreibungThe application contains SQL injection vulnerabilities throughout nearly all database interaction points. User‑supplied input from `$_GET` and `$_POST` is concatenated directly into SQL queries without any parameterisation, escaping, or validation. This allows an attacker to manipulate query logic, leading to: - **Authentication bypass** – log in as any user (including administrators) without valid credentials. - **Unauthorised data deletion** – delete student records via `see.php?del=...`. - **Unauthorised permission changes** – modify user roles via `admin/user_permission.php`. - **Sensitive data exposure** – extract arbitrary data from the database using UNION‑based or blind techniques. ### Affected Code Examples **1. Login bypass (department login):** ```php // index.php $usr = $_POST['usr']; $pwd = $_POST['pwd']; $ret = mysqli_query($con, "SELECT * FROM login WHERE username='$usr' AND password='$pwd' "); ```
Quelle⚠️ https://github.com/imvks786/student_management_system/issues/1
Benutzer
 Amoda (UID 98400)
Einreichung25.05.2026 05:55 (vor 16 Tagen)
Moderieren07.06.2026 21:53 (14 days later)
StatusAkzeptiert
VulDB Eintrag369147 [imvks786 student_management_system bis 9599b560ad3c3b83e75d328b76bedcd489ef1f46 Login /index.ph usr/pwd SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!