| タイトル | code-projects Interview Management System in PHP 1.0 SQL Injection |
|---|
| 説明 | A SQL Injection vulnerability exists in the report viewing functionality of Interview Management System in PHP version 1.0.
The endpoint viewReport.php passes the GET parameter id to two methods in the View class. In both cases, $candId is directly concatenated into the SQL query string before being sent to PDO's prepare(). Because the user-controlled value is embedded in the query string prior to preparation, PDO's parameterization offers no protection:
In View::viewReport() (inc/classes/View.php):
function viewReport(){
$candId = $_GET['id'];
$sql = "select * from questions, reports, candidates where reports.cand_id = candidates.cand_id and reports.question_id = questions.question_id and reports.cand_id = $candId";
$query = $this->db->simplequerywithoutcondition($sql);
In View::viewReportComment() (inc/classes/View.php):
function viewReportComment(){
$candId = $_GET['id'];
$sql = "select * from comments where comments.cand_id = $candId";
$query = $this->db->simplequerywithoutcondition($sql);
Both SELECT queries join multiple tables and expose full row data from questions, reports, candidates, and comments tables. An attacker with valid credentials can use UNION-based injection to extract data from any other table in the database, including the user table containing login credentials. |
|---|
| ソース | ⚠️ https://gist.github.com/c4ttr4ck/96ea33a23b47467051314fa704379336 |
|---|
| ユーザー | c4ttr4ck (UID 75518) |
|---|
| 送信 | 2026年06月02日 20:21 (1 月 ago) |
|---|
| モデレーション | 2026年07月03日 20:33 (1 month later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 205667 [SourceCodester Interview Management System 1.0 /viewReport.php 識別子 SQLインジェクション] |
|---|
| ポイント | 0 |
|---|