| Título | SourceCodester AC Repair and Services System v1.0 SQL Injection |
|---|
| Descripción | A SQL Injection vulnerability has been identified in the php-acrss application within the delete_inquiry function. The vulnerable code directly interpolates user-controlled input into an SQL query without proper validation or parameterization. This flaw allows an authenticated—and in some configurations unauthenticated—attacker to manipulate the underlying database.
File: php-acrss/classes/Master.php
Function: delete_inquiry
Line: 154
The delete_inquiry function constructs an SQL query by concatenating the $id parameter directly into the statement:
$del = $this->conn->query("DELETE FROM inquiry_list where id = '{$id}'");
Because the input is neither sanitized nor validated, a malicious user can inject arbitrary SQL payloads via the id parameter. This can lead to unauthorized deletion of database records or execution of additional SQL commands depending on the database permissions. |
|---|
| Fuente | ⚠️ https://github.com/regrews/cve-vulnerabilities/issues/1 |
|---|
| Usuario | regrews (UID 92696) |
|---|
| Sumisión | 2025-11-17 14:22 (hace 5 meses) |
|---|
| Moderación | 2025-11-22 17:55 (5 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 234223 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=delete_inquiry ID inyección SQL] |
|---|
| Puntos | 0 |
|---|