| Título | code-projects Social Networking Site in PHP 1.0 SQL Injection |
|---|
| Descrição | The Social Networking Site in PHP version 1.0 is affected by a SQL injection vulnerability in the delete_photos.php component. The vulnerability exists because the application fails to properly validate or sanitize user-supplied input provided via the id parameter before it is incorporated into backend SQL queries.
The affected endpoint processes HTTP GET requests and uses the value of the id parameter directly within a SQL statement responsible for deleting photo records from the database. Because the parameter is inserted into the query without input validation or parameter binding, attackers can manipulate the SQL statement by injecting specially crafted SQL expressions.
Testing confirmed that the parameter is vulnerable to time-based SQL injection, indicating that injected SQL code is interpreted and executed by the database engine. By sending a crafted request containing a database delay function, the server response time increases significantly, confirming that the injected SQL statement is processed by the database.
An attacker can exploit this issue remotely by sending specially crafted HTTP requests to the vulnerable endpoint. Successful exploitation allows attackers to execute arbitrary SQL commands in the context of the application's database connection. This may result in unauthorized database access, sensitive data disclosure, modification or deletion of records, or further compromise of the affected system depending on the database privileges configured for the application.
The vulnerability affects the id parameter of the following endpoint:
/social_networking_site/delete_photos.php
Due to the lack of proper input validation and the direct use of user-controlled input within SQL queries, the application becomes vulnerable to SQL injection attacks. |
|---|
| Fonte | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Social%20Networking%20Site%20v1.0%20delete_photos.php.md |
|---|
| Utilizador | AhmadMarzook (UID 96211) |
|---|
| Submissão | 11/03/2026 18h48 (há 22 dias) |
|---|
| Moderação | 27/03/2026 09h51 (16 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 353857 [code-projects Social Networking Site 1.0 Endpoint delete_photos.php ID Injeção SQL] |
|---|
| Pontos | 20 |
|---|