| शीर्षक | Kushan2k student-management-system 1.0 SQL Injection |
|---|
| विवरण | The certificate verification endpoint (`GradeController.php`) accepts a `nic` (National Identity Card) number via POST and passes it directly to the `getStatus()` method in `User.php`. That method embeds the input into an SQL query without any parameterisation or escaping:
```php
// config/User.php
$res = $this->db->query("... WHERE student.NIC={$index} OR student.student_id='{$index}' OR registrations.cetificate_no='{$index}'");
```
The resulting student ID is then written to the session and the user is redirected to the mycourse page:
// controllers/GradeController.php
$nic = htmlspecialchars($_POST['nic']);
$id = $user->getStatus($nic);
if($id!=null && $id>0){
$_SESSION['user_id'] = $id;
header("Location:../view/mycourse.view.php",true);
}
An attacker can inject a boolean-based payload (e.g., 0 OR 1=1 --) into the nic parameter. This alters the query to return the first student ID matching the always‑true condition, thereby bypassing the intended certificate verification entirely. The session is then populated with that student’s ID, and the attacker can view that student’s personal information, enrolled courses, and other sensitive data. |
|---|
| स्रोत | ⚠️ https://github.com/Kushan2k/student-management-system/issues/2 |
|---|
| उपयोगकर्ता | ChenI (UID 98309) |
|---|
| सबमिशन | 20/05/2026 08:23 AM (19 दिन पहले) |
|---|
| संयम | 07/06/2026 11:38 AM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 369095 [Kushan2k student-management-system तक f16a4ceaddd6729c4b306ed4641cda3176c1ef2a Certificate Verification Endpoint GradeController.php getStatus nic SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|