| शीर्षक | code-projects Online Voting System in PHP 1.0 SQL Injection |
|---|
| विवरण | A SQL Injection vulnerability exists in the vote submission functionality of Online Voting System in PHP version 1.0.
The endpoint saveVote.php is publicly accessible without authentication and processes voter data through a test_input() function that applies htmlspecialchars() without the ENT_QUOTES flag, leaving single quotes unescaped. All four POST parameters are directly concatenated into an INSERT query:
$name= test_input($_POST["voterName"]);
$email= test_input($_POST["voterEmail"]);
$voterID= test_input($_POST["voterID"]);
$selection= test_input($_POST["selectedCandidate"]);
$sql= "INSERT INTO db_evoting.tbl_users VALUES(null,'".$name."','".$email."','".$voterID."','".$selection."');";
An unauthenticated attacker can manipulate the SQL logic to insert arbitrary records into the voter table, inject malicious data, or cause database errors by breaking the query structure. |
|---|
| स्रोत | ⚠️ https://gist.github.com/c4ttr4ck/a29b2238099fa07b4f072c21123b55ef |
|---|
| उपयोगकर्ता | c4ttr4ck (UID 75518) |
|---|
| सबमिशन | 02/06/2026 08:18 PM (1 महीना पहले) |
|---|
| संयम | 03/07/2026 08:31 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 376162 [code-projects Online Voting System 1.0 /saveVote.php test_input voterName/voterEmail/voterID/selectedCandidate SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|