| タイトル | SourceCodester AC Repair and Services System v1.0 SQL Injection |
|---|
| 説明 | A SQL Injection vulnerability has been identified in the php-acrss application within the delete_inquiry function. The vulnerable code directly interpolates user-controlled input into an SQL query without proper validation or parameterization. This flaw allows an authenticated—and in some configurations unauthenticated—attacker to manipulate the underlying database.
File: php-acrss/classes/Master.php
Function: delete_inquiry
Line: 154
The delete_inquiry function constructs an SQL query by concatenating the $id parameter directly into the statement:
$del = $this->conn->query("DELETE FROM inquiry_list where id = '{$id}'");
Because the input is neither sanitized nor validated, a malicious user can inject arbitrary SQL payloads via the id parameter. This can lead to unauthorized deletion of database records or execution of additional SQL commands depending on the database permissions. |
|---|
| ソース | ⚠️ https://github.com/regrews/cve-vulnerabilities/issues/1 |
|---|
| ユーザー | regrews (UID 92696) |
|---|
| 送信 | 2025年11月17日 14:22 (5 月 ago) |
|---|
| モデレーション | 2025年11月22日 17:55 (5 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 234223 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=delete_inquiry 識別子 SQLインジェクション] |
|---|
| ポイント | 0 |
|---|